DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
This office action is in response to the claim amendments filed January 18, 2022.
Claims 2-4 have been canceled.
Claims 1 and 5-12 are pending.
Claims 1 and 5-12 have been examined.

Response to Arguments
With respect to Claim Rejection - 35 USC § 103
Regarding claim 1: Applicant is of the opinion prior art fails to disclose (see Applicant Arguments/Remarks pages 10-11):
Applicant Arguments/Remarks: “Firstly, ZHANG does not disclose the use of a symmetric bilinear function. Indeed, in the blind signature generation and verification technique described in ZHANG, such a property is not required, whereas it is in the present application. Furthermore, the context for using a bilinear function as proposed in ZHANG is very different from that described in the present application. Indeed, ZHANG describes a blind signature mechanism aiming at preserving the anonymity of a user (cf. [0038] "the blind signature of the present invention provides the user's anonymity"), which is clearly not the objective sought in the present application. Furthermore, the signature generated in ZHANG does not take into account both a user identifier and a communication terminal identifier. Thus, a person skilled in the art would not have been encouraged to use the teachings of ZHANG to generate a common authentication code such as the one claimed.”

Applicant’s arguments with respect to claim 1 have been considered.  The Examiner, however, respectfully disagrees.
Zhang discloses, use of a symmetric bilinear function (Zhang [0009-0010], “…an object of the present invention to provide a method and an apparatus for generating and verifying an identity based blind signature by using bilinear parings, which reduces the amount of computing time and storage and simplifies the key management procedures. In accordance with one aspect of the present invention, there is provided a method for generating and verifying an ID-based blind signature by using bilinear parings, comprising the steps of: generating system parameters, selecting a master key, and then disclosing the system parameters by a trust authority; generating a private key by using a signer's identity and the master key, and then transferring the private key to the signer through a secure channel by the trust authority…”).
Zhang further discloses, use of a symmetric bilinear function (Zhang [0036], the Examiner considers the symmetric to be the supersingular. “The ID-based blind signature scheme can be performed with supersingular elliptic curves or hyperelliptic curves. The essential operation in the ID-based signature schemes is to compute a bilinear pairing. The computation of a bilinear pairing may be performed efficiently and the length of a signature can be reduced by using compression techniques.”),
Additionally, the symmetric is well-known encryption in the art and uses the same key to encrypt/decrypt. Also known as shared key encryption. Applicant have not shown the presented symmetric or symmetric bilinear function’s specific function or character. Applicant is encouraged to positively claim the specific function(s) or character(s) of symmetric bilinear function which Applicant deems as novel. The Examiner propose having the claims be amended to include the novel features of the symmetric bilinear function of what the Applicant deems as their invention in order to re-analyze the claims to determine whether they are patent eligible.

Applicant further is of the opinion prior art fails to disclose (see Applicant Arguments/Remarks pages 11-12):
Applicant Arguments/Remarks: “Secondly, LIM does not disclose: the detection, by a transactional data processing device of a communication terminal, of the display of a form by an application initiating a payment transaction, and, in response to such detection, the activation of a contactless reader and the taking of control by the transactional data processing device, of the screen display, via an interruption of the application initiating the transaction.”
1.    Regarding the "detection" limitation:
In LIM, it is a user action via a click on a dedicated icon ("Tap to Add" icon), and not the detection of the display of a form, that causes the activation of the contactless reader and the display of the window inviting the user to approach his card to the contactless reader (cf. [0038] "After selecting the Tap to Add icon 620, the consumer is presented with the webpage 630 shown in FIG. 6B. In particular, FIG. 6B has a "Tap to Add" window 632 superimposed over the webpage 600 of FIG. 6A which prompts the consumer to "Tap your PayPassTM enabled card or mobile device to the NFC reader on your computer. ").
Regarding the "interruption" and "takeover" limitations: 
Neither TSUI nor LIM clearly disclose a takeover of the screen display by a transactional data processing device, via an interruption of the application initiating the transaction. Indeed, these documents only teach the display of a screen or a pop-up inviting the user to approach his bank card to a contactless reader, after this user has voluntarily clicked on a button or an icon allowing the user to access this functionality. Therefore, such a display clearly seems to be managed by the application initiating the transaction itself, and, in any case, nothing indicates that it would result from an interruption of such an application, or from a takeover by another device (the transactional data processing device).

Applicant’s arguments with respect to claim 1 have been considered.  The Examiner, however, respectfully disagrees.
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).
In this case, firstly, the Examiner points out that the Examiner did not relied on LIM to teach the "detection" limitation. The Examiner relied on Tsui to teach the "detection" limitation. See pages 4-5 of Non-Final Office Action, mailed on October 18, 2021 (hereinafter, "Office Action").
Secondly, Applicant failed to argue specific positively claim limitations. At best, Applicant states “LIM does not disclose: the detection, by a transactional data processing device of a communication terminal, of the display of a form by an application initiating a payment transaction, and…” Applicant must also discuss the references applied against the claims, explaining how the claims avoid the references or distinguish from them.

However, Tsui discloses the "detection" limitation as stated in the Office Action:
detecting, by the transactional data processing device, a display, made by a requesting application, of at least one entry area relating to a piece of payment data on a display screen (e.g. screen of electronic communication device 301) of the communications terminal, the requesting application having initiated the payment transaction (Tsui [0014], “The mobile computing device also includes communication circuitry configured to receive a request from a server for information to complete an information exchange, and a display device configured to display at least one user interface window in response to receiving the request from the server. The at least one user interface window includes a plurality of data entry fields corresponding to the request. The computing device includes proximity based communication circuitry configured to energize an external proximity based card that is brought into proximity with the mobile computing device.” [0086], "...In a second alternative scenario, the user in step 304 taps a proximity based communications enabled payment card against his electronic communication device…In this case, the system initiates extraction of just payment data from the payment card, and places the extracted data into corresponding fields on the displayed web page on the electronic communication device.”), (See paragraph(s) [0014], [0016], [0056], [0071] and [0084] and Fig. 1 and Fig. 3 and related text);
Thirdly, with respect to this language, “and not the detection of the display of a form”, the Examiner is unable to locate this language in the claim. 
Applicant’s arguments with respect to the “interruption" and "takeover" limitations”:
Firstly, Applicant failed to argue specific positively claim limitations. At best, Applicant states “Neither TSUI nor LIM clearly disclose a takeover of the screen display by a transactional data processing device, via an interruption of the application initiating the transaction.” Applicant must discuss the references applied against the claims, explaining how the claims avoid the references or distinguish from them.
TSUI discloses “interruption" and "takeover. TSUI clearly discloses “taking control, by the transactional data processing device, of the display made on the display screen, by interrupting the requesting application” as shown in Figs. 6A-6C. More specifically, Fig. 6B clearly discloses web page 600 (e.g., Fig. 6A) is interrupted by superimpose window 632 (e.g., Fig. 6B). Therefore, Tsui discloses the “interruption" and "takeover as stated in the Office Action.
in response to the detecting (e.g., webpage 600 / webpage 630 presented to a consumer), taking control of the display made on the display screen, by interrupting the requesting application; and, when the display is under control of the processing device (Tsui [0038], “a consumer who has registered his or her consumer device and proximity device for the one-tap add account feature can select the "Tap to Add" icon 620. After selecting the Tap to Add icon 620, the consumer is presented with the webpage 630 shown in FIG. 6B. In particular, FIG. 6B has a "Tap to Add" window 632 superimposed over the webpage 600 of FIG. 6A which prompts the consumer to "Tap your PayPass.TM. enabled card or mobile device to the NFC reader on your computer"), (See paragraphs [0037]-[0040], [0044]-[0045] and [0032] and Fig. Fig. 6A, 6B, 8A and 8B and related text).
Therefore, this ground of rejection is maintained.

Claim Rejections - 35 USC § 103
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1 and 5-12 are rejected under 35 U.S.C. 103 as being unpatentable over Tsui (US 20160026997 A1) in view of Varadarajan (US 20110184867 A1) further in view of Lim et al. (US 20140074655 A1) and further in view of Zhang et al. (US 20040139029 A1).
Lim
Regarding Claim 1: Tsui discloses: A method for securing the processing of transactional data during a payment transaction, the method being implemented within a communications terminal (e.g. computing device/a client device/tablet computer/a smart phone) comprising a transactional data processing device, wherein the method comprises (See paragraph(s) [0099] and Fig. 5 and related text):
detecting, by the transactional data processing device, a display, made by a requesting application, of at least one entry area relating to a piece of payment data on a display screen (e.g. screen of electronic communication device 301) of the communications terminal, the requesting application having initiated the payment transaction (Tsui [0014], “The mobile computing device also includes communication circuitry configured to receive a request from a server for information to complete an information exchange, and a display device configured to display at least one user interface window in response to receiving the request from the server. The at least one user interface window includes a plurality of data entry fields corresponding to the request. The computing device includes proximity based communication circuitry configured to energize an external proximity based card that is brought into proximity with the mobile computing device.” [0086], "...In a second alternative scenario, the user in step 304 taps a proximity based communications enabled payment card against his electronic communication device…In this case, the system initiates extraction of just payment data from the payment card, and places the extracted data into corresponding fields on the displayed web page on the electronic communication device.”), (See paragraph(s) [0014], [0016], [0056], [0071] and [0084] and Fig. 1 and Fig. 3 and related text);
in response to the detecting, activating (e.g. step 303-304), by the transactional data processing device, a contactless data reading device (e.g. proximity based communication circuitry or module of the electronic communication device) (Tsui [0014], “The mobile computing device also includes communication circuitry configured to receive a request from a server for information to complete an information exchange, and a display device configured to display at least one user interface window in response to receiving the request from the server. The at least one user interface window includes a plurality of data entry fields corresponding to the request. The computing device includes proximity based communication circuitry configured to energize an external proximity based card that is brought into proximity with the mobile computing device. The computing device includes proximity based communication circuitry configured to energize an external proximity based card that is brought into proximity with the mobile computing device. Upon energizing the external proximity based card, the computing device receives information from the external proximity based card to populate at least one of the plurality of the data entry fields…” [0085], "...the scenario branches into one of the following two scenarios. In a first scenario, the user in step 304 taps a dedicated payment card 203 against the electronic communication device 201, which initiates data extraction from the dedicated payment card. The extracted data includes payment data, any address data, and any other user data needed to populate corresponding fields in the web page displayed on the electronic communication device.”), (see also paragraph [0014], [0016] and [0086] and Fig. 1 and Fig. 3 and related text); 
obtaining (e.g. step 306), by the contactless data reading device, at least one piece of payment data (e.g. payment data/information) coming from a contactless payment device (Tsui [0085], "...In a first scenario, the user in step 304 taps a dedicated payment card 203 against the electronic communication device 201, which initiates data extraction from the dedicated payment card. The extracted data includes payment data, any address data, and any other user data needed to populate corresponding fields in the web page displayed on the electronic communication device”, [0087], "...After the previous steps, the website typically gives the user the opportunity (306) to verify, edit, and confirm any data that was entered into the web page, regardless of whether extracted from a payment card or entered manually. The user at this point can modify, add, and/or remove data (e.g., even overriding data extracted from the payment card).”), (see also paragraphs [0085]-[0086] and Fig. 1 and Fig. 3 and related text;
[sends or providing], by the transactional data processing device, a [CVV/security code/unique identification code] (Tsui [0012], the examiner considers the CVV/security code/unique identification code to be the current authentication code) having a bank card verification code format (e.g., a Card Verification Value ("CVV") or Card Verification Code ("CVC")), the generating comprising (Tsui [0152], "...In some implementations, the computing device includes a device authentication module configured to receive an authentication request from the server and to respond to the authentication request by providing a unique identifier of the mobile computing device. In some implementations, the unique identifier is a MAC address, an IP address, or a phone number.” [0131-0132], "...The third party uses the unique identifier to look up an account corresponding to the device 820, and returns authentication values from the account information. For example, the authentication values may include a ZIP or postal code, an email address, or a user name….the application sends a transaction to an authentication party”, [0012], "...In some implementations, the electronic communication device extracts data from the card that is necessary to establish the card-holder's credentials. This can include the card-holder's full name, the type of card, the account number associated with the card, the expiration date of the card, a CVV or CVC number, any form of unique identification code and/or security code, address data, and other user data. In some implementations, the communication device outputs this data to corresponding fields of a web page.” [0137], "...In some implementations, the authentication party (e.g., bank or credit card company) performs (950) multifactor authentication, as illustrated below in FIG. 13A or 13B. If the authentication process is successful (952), the transaction is approved (956). Otherwise, the transaction is declined (954). After the approval or declination, this portion of the process is complete (958). Subsequently, the product is shipped.”) See also paragraph(s) [0003], [0012], [0066], [0131]-[0132], [0137] and [0152]):
obtaining a piece of identification data (e.g. a unique identifier of the mobile) of the communications terminal (Tsui [0022], "...In some implementations, the computing device includes a device authentication module configured to receive an authentication request from the server and to respond to the authentication request by providing a unique identifier of the mobile computing device. In some implementations, the unique identifier is a MAC address, an IP address, or a phone number.”), (See paragraph [0022]);
obtaining a piece of authentication data of a user with whom the communications terminal is associated (Tsui [0016], "...In some implementations, the prompt for user authentication requires entry of a personal identification number or password by a user. In some implementations, the prompt for user authentication activates a biometric input device for user authentication”, [0166], "…In some implementations, the server issues a separate authentication request to identify the mobile device 201. In this case, the mobile device receives (1448) the authentication request from the server. In response to the authentication request, the mobile device provides (1450) a unique identifier of the device. In some implementations, the unique identifier is (1452) a MAC address, an IP address, a phone number of the device, an email address, a MSISDN number, an IMEI or MEID number, or an IMSI number.”), (See paragraphs [0016] and [0166]); and
[sends or providing]  the [CVV/security code/unique identification code] using a […]  the piece of identification data of the communications terminal and the piece of authentication data of the user (Tsui [0108-0111], "…a device authentication module 536, which provides a unique identifier for the device 201 for certain communication with remote servers 602. In some implementations, the device authentication module uses a MAC address, an IP address, or a phone number as the unique identifier for the device…”), (See paragraphs [0108]-[0111] and [0169]);
filling in (e.g. step 408), at the at least one entry area (e.g. data entry fields) with at least one piece of payment data previously obtained (Tsui [0075], "...In some implementations, one or more data entry fields cannot be edited by the user once they are filled by the Tap application/plugin 550. This can be used to guarantee authenticity (e.g., the data has not been manipulated) of the data retrieved by the Tap application/plugin 550.” [0091], "...In step 408 the entity typically gives the user 200 the opportunity to verify, edit, and confirm any data that was acquired by the entity. In some physical environments the user at step 408 can modify, add, and/or remove data manually.”), (See paragraph(s) [0075] and [0091 and Fig. 4 and related text);
filling a pre-selected entry area corresponding to an entry area for a bank card verification code, the generated current authentication code (Tsui [0137], "...The tap and autofill process 942 is described in more detail below in FIG. 12. Whatever data entry fields are not filled by the tap process must be entered (944) manually, and the user submits (948) the transaction. In some implementations, one or more data entry fields cannot be edited by the user once they are filled by the Tap application/plugin 550. This can be used to guarantee authenticity (e.g., the data has not been manipulated) of the data retrieved by the Tap application/plugin 550. In some implementations, the submission of the transaction is automated after the data entry fields are filled and does not require manual submission by the user. In some implementations, when the Tap application 550 has permission from the user, the Tap application 550 collects and stores the information that the user manually enters. In some implementations, the authentication party (e.g., bank or credit card company) performs (950) multifactor authentication, as illustrated below in FIG. 13A or 13B.”), (See paragraphs [0003], [0066] and [0137] and Fig. 12 and related text); and
returning control of the display to the requesting application (Tsui [0081]-[0082], “After the data is collected by the website 202, some websites 202 display the received data, giving the user an opportunity to verify and edit (step 116). Other websites are configured to skip this step and send the processed data directly for payment processing (step 117). In some implementations, payment data is collected by the website to facilitate a transaction process, along with address data and other user data (e.g., for shipping). In some implementations, any combination of payment data, address data, and other user data is collected during information exchange that does not involve a transaction. For example, a user may register at a social website or an online forum, and the information in the card is used to simplify the registration process.”), (See paragraphs [0081] and [0082], and Fig. 3 and related text).

Tsui does not specifically disclose, the current authentication code is generated by obtaining two pieces of data. Generating comprising, obtaining a piece of identification data of the communications terminal and a piece of authentication data of a user.

Varadarajan discloses, generating a current authentication code and formatting the current authentication code as a bank card verification code (see paragraph [0039]-[0040]).
Varadarajan further discloses, generating, by the transactional data processing device, a current authentication code a bank card verification code, the generating comprising (Varadarajan [0012], “The DCV may be configured as one of a CVC, CVV, CSC, PAN, account number, partial PAN and a portion of an account number, as those terms are defined herein. The DCV generator may be configured to generate at least one DCV on the user device, and may further include an algorithm adapted to generate at least one DCV”, [0057], “it is understood that a generally similar system could be used for other transactional processes or authorizing and authenticating systems which require verification by inputting a user identifier or an account code and/or a secondary code, such as a PIN or additional data element.”), (see also paragraphs [0022], [0057], [0031], [0025], [0054]-[0056] and [0035]-[0039] and) and Fig. 4 and related text):
obtaining a piece of identification data of the communications terminal (See paragraph [0054], [0056] and [0057] and Fig. 4 and related text);
obtaining a piece of authentication data of a user with whom the communications terminal is associated (See paragraph(s) [0055], [0056], [0057] and [0045] and Fig. 4 and related text);

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tsui with Varadarajan to include function of generating a dynamic card value (DCV) from a mobile user device for use in a transaction between a user cardholder and a transaction provider to enhance transaction security.

Tsui does not specifically disclose, the current authentication code is generated using a symmetric bilinear coupling function.

Zhang discloses, the current authentication code is generated using a symmetric bilinear coupling function (Zhang [0009], “, an object of the present invention to provide a method and an apparatus for generating and verifying an identity based blind signature by using bilinear parings, which reduces the amount of computing time and storage and simplifies the key management procedures.” [0036], “The ID-based blind signature scheme can be performed with supersingular elliptic curves or hyperelliptic curves. The essential operation in the ID-based signature schemes is to compute a bilinear pairing. The computation of a bilinear pairing may be performed efficiently and the length of a signature can be reduced by using compression techniques.”), (see paragraphs [0006], [0009] and [0036]).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tsui and Varadarajan with Zhang to include function of using bilinear parings to generate an authentication code, which reduces the amount of computing time and storage and simplifies the key management procedures.

Tsui does not specifically disclose:
in response to the detecting, taking control of the display made on the display screen, by interrupting the requesting application; and, when the display is under control of the processing device;

Lim discloses:
in response to the detecting (e.g., webpage 600 / webpage 630 presented to a consumer), taking control of the display made on the display screen, by interrupting the requesting application; and, when the display is under control of the processing device (Lim [0037], “The add card webpage 600 enables the consumer to add another proximity payment device (which may be a new payment account, for example) to his or her electronic wallet, and it includes a plurality of data entry fields. In this example, the data entry fields include a card nickname field 602, a name-on-card field 604, a card number field 606, expiration date fields 608, a security code field 610, a billing address field 612 and residence address fields 614.” [0038], “a consumer who has registered his or her consumer device and proximity device for the one-tap add account feature can select the "Tap to Add" icon 620. After selecting the Tap to Add icon 620, the consumer is presented with the webpage 630 shown in FIG. 6B. In particular, FIG. 6B has a "Tap to Add" window 632 superimposed over the webpage 600 of FIG. 6A which prompts the consumer to "Tap your PayPass.TM. enabled card or mobile device to the NFC reader on your computer"), (See paragraphs [0037]-[0040], [0044]-[0045] and [0032] and Fig. Fig. 6A, 6B, 8A and 8B and related text).
Claim interpretation: originally-filed specification Pg. 9, LN 28 – Pg. 10, LN 5, “the processing module (ModT) takes possession of the display made on the communications terminal; this taking of possession is done in the form of an interruption of the requesting application (application specific to the merchant or browser); the requesting application is "frozen" and the processing module (ModT) transparently, in a highlighted form, displays for example the contactless payment logo;”

Additionally, Lim also discloses:
returning control of the display to the requesting application ([0039], “The consumer is then presented with the webpage 650 shown in FIG. 6C. In this example, as shown by the webpage 650, information has been automatically populated or filled in, based on the data read by the proximity reader and transmitted by the consumer device to the wallet server, for the data entry fields including the name on card field 604, card number field 606 and the expiration date fields 608. In some embodiments, the card data including the security code will be provided by the device authentication server upon proximity device authentication, and will be pre-populated in an un-editable manner and/or in a suppressed or inactive manner.”), (See paragraph [0039] and Fig. 6C and related text).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Tsui, Varadarajan and Zhang with Lim to include a function such as interrupting or pausing a function to populate or obtain additional data utilizing pop-up interface, hence improving users security and user experience.

Regarding Claim 5: Tsui, Varadarajan, Lim and Zhang, discloses as shown above.
Tsui further discloses: The method for securing processing according to claim 1, further comprising obtaining a value of occurrence of implementation of the method for securing processing, and when it is a first occurrence of implementation of the method, the method further comprises creating a piece of data representing a link between the communications terminal and a transaction processing server, called a piece of reference authentication data  (e.g. a unique identifier/plurality of data entry fields) (See paragraph(s) [0110] and [0157] and Fig. 14A and related text); (See paragraph [0110], "...a device authentication module 536, which provides a unique identifier for the device 201 for certain communication with remote servers 602. In some implementations, the device authentication module uses a MAC address, an IP address, or a phone number as the unique identifier for the device;”); (See paragraph [0157], "...The mobile computing device 201 displays (406) at least one user interface window in response to receiving the request from the server. The at least one user interface window includes (1406) a plurality of data entry fields corresponding to the request. In some implementations, the process prompts (1408) for user authentication as a prerequisite to energizing an external proximity based card, as described below. Such an authentication process helps to prevent fraud because an unauthorized user of the card would not be authenticated, and thus not able to gain access to the stored information on the card. In some implementations, prompting for user authentication requires (1410) entry of a personal identification number or password by a user. In some implementations, prompting for user authentication activates (1412) a biometric input device 556 for user authentication. Some implementations use a combination of factors for user authentication.”).

Regarding Claim 6: Tsui, Varadarajan, Lim and Zhang, discloses as shown above.
Tsui further discloses: The method for securing processing according to claim 5, wherein creating the piece of reference authentication data between the communications terminal and the transaction processing server comprises (See paragraph(s) [0110] and [0157] and Fig. 14A and related text):
obtaining the piece of identification data of the communications terminal (See paragrap(s [0110], [0157] and [0166] and Fig. 14A and related text); (See paragraph [0110], "...a device authentication module 536, which provides a unique identifier for the device 201 for certain communication with remote servers 602. In some implementations, the device authentication module uses a MAC address, an IP address, or a phone number as the unique identifier for the device;”); (See paragraph [0157], "...The mobile computing device 201 displays (406) at least one user interface window in response to receiving the request from the server. The at least one user interface window includes (1406) a plurality of data entry fields corresponding to the request. In some implementations, the process prompts (1408) for user authentication as a prerequisite to energizing an external proximity based card, as described below.”); (See paragraph [0166], "…In some implementations, the server issues a separate authentication request to identify the mobile device 201. In this case, the mobile device receives (1448) the authentication request from the server. In response to the authentication request, the mobile device provides (1450) a unique identifier of the device. In some implementations, the unique identifier is (1452) a MAC address, an IP address, a phone number of the device, an email address, a MSISDN number, an IMEI or MEID number, or an IMSI number.”);
obtaining the piece of authentication data for the user with whom the communications terminal is associated (See paragraphs [0016] and [0166]); (See paragraph [0016], "...In some implementations, the prompt for user authentication requires entry of a personal identification number or password by a user. In some implementations, the prompt for user authentication activates a biometric input device for user authentication”); (See paragraph [0166], "…In some implementations, the server issues a separate authentication request to identify the mobile device 201. In this case, the mobile device receives (1448) the authentication request from the server. In response to the authentication request, the mobile device provides (1450) a unique identifier of the device. In some implementations, the unique identifier is (1452) a MAC address, an IP address, a phone number of the device, an email address, a MSISDN number, an IMEI or MEID number, or an IMSI number.”);
encrypting the identification data of the communications terminal and the authentication data of the user, and delivering the piece of reference authentication data (See paragraphs [0108-0111] and [0169]); and
transmitting the piece of reference authentication data to the transaction processing server (See paragraph [0169]); (See paragraph [0169], "...the process 1400 transmits (1460) the encrypted values to the server or a third party for the transaction.”).

Regarding Claim 7: Tsui, Varadarajan, Lim and Zhang, discloses as shown above. 
Tsui further discloses: Method for processing, according to claim 5, further comprising, during the reception, by the transaction processing server, of the data coming from the at least one entry area, at least one act of comparing at least one piece of data transmitted within the entry area and the piece of reference authentication data, and delivering an assertion of validation of the transaction (See paragraph [0151], "...The user initiates (1320) a transaction, and subsequent activity to fill in data occurs (1322) as described above with respect to FIG. 9, 10, or 11. The user then submits (1324) the transaction for processing. In some implementations, the submission of the transaction is automated after the data entry fields are filled and does not require manual submission by the user. The Tap application 550 requests (1326) a unique identifier for the device, which is retrieved (1328) from memory. As noted above, the unique identifier can take many forms. If the request for a unique identifier is not successful (1330), the transaction is declined (1346), and the process is done (1350) without completing the desired transaction.”).

Regarding Claims 8 and 9: Tsui, Varadarajan, Lim and Zhang, discloses as shown above. 
Tsui further discloses: A communications terminal (e.g. electronic communication device 201) comprising (See abstract, paragraphs [0014-0016] and [0099] and Fig. 5 and related text):
a display screen (See abstract, paragraphs [0014-0016] and [0099] and Fig. 5 and related text); 
a contactless data reading device (See abstract, paragraphs [0014-0016] and [0099] and Fig. 5 and related text); and
a transaction data processing device for processing transactional data during a payment transaction, the processing device comprising a processor and a non-transitory computer-readable medium comprising instructions stored thereon which when executed by the processor configure the processing device to perform acts comprising (See abstract, paragraphs [0014-0016] and [0099] and Fig. 5 and related text):
detecting a display, made by a requesting application, of at least one entry area for a piece of payment data on the display screen of the communications terminal, the requesting application having initiated the payment transaction (See paragraph [0086], "...In a second alternative scenario, the user in step 304 taps a proximity based communications enabled payment card against his electronic communication device…In this case, the system initiates extraction of just payment data from the payment card, and places the extracted data into corresponding fields on the displayed web page on the electronic communication device.”), (See paragraphs [0014], [0016], [0056], [0071], and [0084] and Fig. 1 and Fig. 3 and related text);
in response to the detecting, activating the contactless data reading device (See paragraph [0085], "...the scenario branches into one of the following two scenarios. In a first scenario, the user in step 304 taps a dedicated payment card 203 against the electronic communication device 201, which initiates data extraction from the dedicated payment card. The extracted data includes payment data, any address data, and any other user data needed to populate corresponding fields in the web page displayed on the electronic communication device.” See also paragraph [0014], [0016] and [0086] and Fig. 1 and Fig. 3 and related text);
obtaining, by the contactless data reading device, at least one piece of payment data coming from a contactless payment device (See paragraph [0087], "...After the previous steps, the website typically gives the user the opportunity (306) to verify, edit, and confirm any data that was entered into the web page, regardless of whether extracted from a payment card or entered manually. The user at this point can modify, add, and/or remove data (e.g., even overriding data extracted from the payment card).” See also paragraph(s) [0085]-[0086] Fig. 1 and Fig. 3 and related text);
[sends or providing] a [CVV/security code/unique identification code] (Tsui [0012], the examiner considers the CVV/security code/unique identification code to be the current authentication code) having a bank card verification code format (e.g., a Card Verification Value ("CVV") or Card Verification Code ("CVC")), the generating  comprising (e.g. communication device), the generating comprising (See paragraph [0152], "...In some implementations, the computing device includes a device authentication module configured to receive an authentication request from the server and to respond to the authentication request by providing a unique identifier of the mobile computing device. In some implementations, the unique identifier is a MAC address, an IP address, or a phone number.”); (See paragraph [0131-0132], "...The third party uses the unique identifier to look up an account corresponding to the device 820, and returns authentication values from the account information. For example, the authentication values may include a ZIP or postal code, an email address, or a user name….the application sends a transaction to an authentication party”); (See paragraph [0012], "...In some implementations, the electronic communication device extracts data from the card that is necessary to establish the card-holder's credentials. This can include the card-holder's full name, the type of card, the account number associated with the card, the expiration date of the card, a CVV or CVC number, any form of unique identification code and/or security code, address data, and other user data. In some implementations, the communication device outputs this data to corresponding fields of a web page.”); (See paragraph [0137], "...In some implementations, the authentication party (e.g., bank or credit card company) performs (950) multifactor authentication, as illustrated below in FIG. 13A or 13B. If the authentication process is successful (952), the transaction is approved (956). Otherwise, the transaction is declined (954). After the approval or declination, this portion of the process is complete (958). Subsequently, the product is shipped.” See also paragraph(s) [0003], [0012], [0066], [0131]-[0132], [0137] and [0152]).
obtaining a piece of identification data (e.g. a unique identifier of the mobile) of the communications terminal (See paragraph(s) [0022]); (See paragraph [0022], "...In some implementations, the computing device includes a device authentication module configured to receive an authentication request from the server and to respond to the authentication request by providing a unique identifier of the mobile computing device. In some implementations, the unique identifier is a MAC address, an IP address, or a phone number.”);
obtaining a piece of authentication data of a user with whom the communications terminal is associated (See paragraph(s) [0016]); (See paragraph [0016], "...In some implementations, the prompt for user authentication requires entry of a personal identification number or password by a user. In some implementations, the prompt for user authentication activates a biometric input device for user authentication”); and
[sends or providing] the [CVV/security code/unique identification code]  using a […]  the piece of identification data of the communications terminal and the piece of authentication data of the user (See paragraph [0108-0111], "…a device authentication module 536, which provides a unique identifier for the device 201 for certain communication with remote servers 602. In some implementations, the device authentication module uses a MAC address, an IP address, or a phone number as the unique identifier for the device…”, see also paragraph(s) [0108]-[0111]);
filling (e.g. step 408), at the at least one entry area with (e.g. data entry fields), the at least one piece of payment data previously obtained (See paragraph(s) [0075] and [0091 and Fig. 4 and related text); (See paragraph [0075], "...In some implementations, one or more data entry fields cannot be edited by the user once they are filled by the Tap application/plugin 550. This can be used to guarantee authenticity (e.g., the data has not been manipulated) of the data retrieved by the Tap application/plugin 550.”); (See paragraph [0091], "...In step 408 the entity typically gives the user 200 the opportunity to verify, edit, and confirm any data that was acquired by the entity. In some physical environments the user at step 408 can modify, add, and/or remove data manually.”);
filling, in a pre-selected entry area corresponding to an entry area for a bank card verification code with the generated current authentication code (See paragraph(s) [0003], [0066] and [0137] and Fig. 12 and related text); (See paragraph [0137], "...The tap and autofill process 942 is described in more detail below in FIG. 12. Whatever data entry fields are not filled by the tap process must be entered (944) manually, and the user submits (948) the transaction. In some implementations, one or more data entry fields cannot be edited by the user once they are filled by the Tap application/plugin 550. This can be used to guarantee authenticity (e.g., the data has not been manipulated) of the data retrieved by the Tap application/plugin 550. In some implementations, the submission of the transaction is automated after the data entry fields are filled and does not require manual submission by the user. In some implementations, when the Tap application 550 has permission from the user, the Tap application 550 collects and stores the information that the user manually enters. In some implementations, the authentication party (e.g., bank or credit card company) performs (950) multifactor authentication, as illustrated below in FIG. 13A or 13B.”); and
returning control of the display to the requesting application (Tsui [0081]-[0082], “After the data is collected by the website 202, some websites 202 display the received data, giving the user an opportunity to verify and edit (step 116). Other websites are configured to skip this step and send the processed data directly for payment processing (step 117). In some implementations, payment data is collected by the website to facilitate a transaction process, along with address data and other user data (e.g., for shipping). In some implementations, any combination of payment data, address data, and other user data is collected during information exchange that does not involve a transaction. For example, a user may register at a social website or an online forum, and the information in the card is used to simplify the registration process.”), (See paragraphs [0081] and [0082], and Fig. 3 and related text).

Tsui does not specifically disclose, the current authentication code is generated by obtaining two pieces of data. Generating comprising, obtaining a piece of identification data of the communications terminal and a piece of authentication data of a user.

Varadarajan discloses, generating a current authentication code and formatting the current authentication code as a bank card verification code (see paragraph [0039]-[0040]).
Varadarajan further discloses, generating, by the transactional data processing device, a current authentication code a bank card verification code, the generating comprising (See paragraph [0012], “The DCV may be configured as one of a CVC, CVV, CSC, PAN, account number, partial PAN and a portion of an account number, as those terms are defined herein. The DCV generator may be configured to generate at least one DCV on the user device, and may further include an algorithm adapted to generate at least one DCV”, [0057], “it is understood that a generally similar system could be used for other transactional processes or authorizing and authenticating systems which require verification by inputting a user identifier or an account code and/or a secondary code, such as a PIN or additional data element.” see also [0022], [0057], [0031], [0025], [0054]-[0056] and [0035]-[0039] and) and Fig. 4 and related text):
obtaining a piece of identification data of the communications terminal (See paragraph [0054], [0056] and [0057] and Fig. 4 and related text);
obtaining a piece of authentication data of a user with whom the communications terminal is associated (See paragraph(s) [0055], [0056], [0057] and [0045] and Fig. 4 and related text);

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tsui with Varadarajan to include function of generating a dynamic card value (DCV) from a mobile user device for use in a transaction between a user cardholder and a transaction provider to enhance transaction security.

Tsui does not specifically disclose, the current authentication code is generated using a symmetric bilinear coupling function.

Zhang discloses, the current authentication code is generated using a symmetric bilinear coupling function (Zhang [0009], “, an object of the present invention to provide a method and an apparatus for generating and verifying an identity based blind signature by using bilinear parings, which reduces the amount of computing time and storage and simplifies the key management procedures.” [0036], “The ID-based blind signature scheme can be performed with supersingular elliptic curves or hyperelliptic curves. The essential operation in the ID-based signature schemes is to compute a bilinear pairing. The computation of a bilinear pairing may be performed efficiently and the length of a signature can be reduced by using compression techniques.”), (see paragraphs [0006], [0009] and [0036]).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tsui and Varadarajan with Zhang to include function of using bilinear parings to generate an authentication code, which reduces the amount of computing time and storage and simplifies the key management procedures.

Tsui does not specifically disclose:
in response to the detecting, taking control of the display made on the display screen, by interrupting the requesting application; and, when the display is under control of the processing device;

Lim discloses:
in response to the detecting (e.g., webpage 600 / webpage 630 presented to a consumer), taking control of the display made on the display screen, by interrupting the requesting application; and, when the display is under control of the processing device (Lim [0037], “The add card webpage 600 enables the consumer to add another proximity payment device (which may be a new payment account, for example) to his or her electronic wallet, and it includes a plurality of data entry fields. In this example, the data entry fields include a card nickname field 602, a name-on-card field 604, a card number field 606, expiration date fields 608, a security code field 610, a billing address field 612 and residence address fields 614.” [0038], “a consumer who has registered his or her consumer device and proximity device for the one-tap add account feature can select the "Tap to Add" icon 620. After selecting the Tap to Add icon 620, the consumer is presented with the webpage 630 shown in FIG. 6B. In particular, FIG. 6B has a "Tap to Add" window 632 superimposed over the webpage 600 of FIG. 6A which prompts the consumer to "Tap your PayPass.TM. enabled card or mobile device to the NFC reader on your computer"), (See paragraphs [0037]-[0040], [0044]-[0045] and [0032] and Fig. Fig. 6A, 6B, 8A and 8B and related text).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Tsui, Varadarajan and Zhang with Lim to include a function such as interrupting or pausing a function to populate or obtain additional data utilizing pop-up interface, hence improving users security and user experience.

Regarding Claims 10, 11 and 12: Tsui, Varadarajan, Lim and Zhang, discloses as shown above. 
Tsui further discloses: The method for securing processing according to claim 1, wherein […] the [CVV/security code/unique identification code] (Tsui [0012], the examiner considers the CVV/security code/unique identification code to be the current authentication code) having the bank card verification code format (e.g., a Card Verification Value ("CVV") or Card Verification Code ("CVC")) comprises formatting the current authentication code to have a size corresponding to a size accepted by the pre-selected entry area corresponding to the entry area for the bank card verification code ([0012], “This can include the card-holder's full name, the type of card, the account number associated with the card, the expiration date of the card, a CVV or CVC number, any form of unique identification code and/or security code, address data, and other user data. In some implementations, the communication device outputs this data to corresponding fields of a web page.” see also [0066]).

Tsui does not specifically disclose, the current authentication code is generated by obtaining two pieces of data. Generating comprising, obtaining a piece of identification data of the communications terminal and a piece of authentication data of a user.

Varadarajan discloses, generating a current authentication code and formatting the current authentication code as a bank card verification code (see paragraph [0039]-[0040]).
Varadarajan further discloses, the method for securing processing according to claim 1, wherein generating the current authentication code having the bank card verification code format comprises formatting the current authentication code to have a size corresponding to a size accepted by the pre-selected entry area corresponding to the entry area for the bank card verification code (See paragraph [0031], “For example, a dynamic CVV may typically be configured as a 3-digit or 4-digit number and a dynamic PAN may typically be configured as a 16-digit number. ... The DCV may be configured in any form or manner required for input as a DCV by the transaction interface, for example, as one of or a combination of a character string of one or more alpha-numeric or special characters, a datum or an electronic signal transmittable from the user device, a datum or an electronic signal generated by the user device, or as a user instruction.”, [0012], “The DCV may be configured as one of a CVC, CVV, CSC, PAN, account number, partial PAN and a portion of an account number, as those terms are defined herein. The DCV generator may be configured to generate at least one DCV on the user device, and may further include an algorithm adapted to generate at least one DCV”).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tsui with Varadarajan to include function of generating a dynamic card value (DCV) from a mobile user device for use in a transaction between a user cardholder and a transaction provider to enhance transaction security.

    Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAHED ALI whose telephone number is (571)270-1085.  The examiner can normally be reached on 8:00 - 5:00 M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on (571)-270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JAHED ALI/Examiner, Art Unit 3685           


/NEHA PATEL/Supervisory Patent Examiner, Art Unit 3685