DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
Claims 1-20 have been rejected. 
Claim Objections
Claim 12 is objected to because of the following informalities:
In claim 12, “An access control server comprising …receiving, by an access control server….” should be “An access control server comprising…receiving, by the access control server…” For purposes of examination, claim 12 is being interpreted as “An access control server comprising…receiving, by the access control server …”
Appropriate correction is required.

Claim Rejections – 35 USC §101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
In the instant case, claims 1-11 are directed to a method, claims 12-19 are directed to an access control server, and claim 20 is directed to a directory server. Therefore, these claims fall within the four statutory categories of invention. 
Claims 1-19
The claims recite transaction processing with fraud risk assessment. Specifically, the claims recite “receiving…from an authentication requestor, an authentication request comprising an account identifier, and information regarding a prior authentication method on the account identifier and a current authentication method for the account identifier associated with a transaction;” “performing…a risk analysis for the transaction based at least in part on the information and a threshold;” “authenticating…a user of the account identifier using the information, the account identifier, and a result of the risk analysis;” “modifying…an authentication response to include an authentication indicator;” and “transmitting…the authentication response to the authentication requestor,” which is grouped within the “Certain methods of organizing human activity” grouping of abstract ideas in prong one of step 2A of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 54 (January 7, 2019)) because the claims describe a process of receiving a request for processing a transaction, performing fraud risk analysis with authentication and transaction data, providing and sending a response based on the fraud risk analysis, which is a commercial interaction. Accordingly, the claim recites an abstract idea (See pages 7, 10, Alice Corporation Pty. Ltd. v. CLS Bank International, et al., US Supreme Court, No. 13-298, June 19, 2014; 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 53-54 (January 7, 2019)).
This judicial exception is not integrated into a practical application because, when analyzed under prong two of step 2A of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 54-55 (January 7, 2019)), the additional element(s) of the claim such as an access control server, a directory server, a processor and a computer readable medium, merely use a computer as a tool to perform an abstract idea and/or generally link the user of a judicial exception to a particular technological environment. Specifically, these additional elements perform the steps or functions of “receiving…from an authentication requestor, an authentication request comprising an account identifier, and information regarding a prior authentication method on the account identifier and a current authentication method for the account identifier associated with a transaction;” “performing…a risk analysis for the transaction based at least in part on the information and a threshold;” “authenticating…a user of the account identifier using the information, the account identifier, and a result of the risk analysis;” “modifying…an authentication response to include an authentication indicator;” and “transmitting…the authentication response to the authentication requestor.”  The use of a processor/computer as a tool to implement the abstract idea and/or generally link the use of the abstract idea to a particular technological environment  does not integrate the abstract idea into a practical application because it requires no more than a computer performing functions that correspond to acts required to carry out the abstract idea. The additional elements do not involve improvements to the functioning of a computer, or to any other technology or technical field (MPEP 2106.05(a)), the claims do not apply or use the abstract idea to effect a particular treatment or prophylaxis for a disease or medical condition (Vanda Memo), the claims do not apply the abstract idea with, or by use of, a particular machine (MPEP 2106.05(b)), the claims do not effect a transformation or reduction of a particular article to a different state or thing (MPEP 2106.05(c)), and the claims do not apply or use the abstract idea in some other meaningful way beyond generally linking the use of the abstract idea to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception (MPEP 2106.05(e) and Vanda Memo). Therefore, the claims do not, for example, purport to improve the functioning of a computer. Nor do they effect an improvement in any other technology or technical field. Accordingly, the additional elements do not impose any meaningful limits on practicing the abstract idea, and the claims are directed to an abstract idea.
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when analyzed under step 2B of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 56 (January 7, 2019)), the additional elements of using an access control server, a directory server, a processor and a computer readable medium to perform the steps amounts to no more than using a computer or processor to automate and/or implement the abstract idea of transaction processing with fraud risk assessment. As discussed above, taking the claim elements separately, these additional elements perform(s) the steps or functions of “receiving…from an authentication requestor, an authentication request comprising an account identifier, and information regarding a prior authentication method on the account identifier and a current authentication method for the account identifier associated with a transaction;” “performing…a risk analysis for the transaction based at least in part on the information and a threshold;” “authenticating…a user of the account identifier using the information, the account identifier, and a result of the risk analysis;” “modifying…an authentication response to include an authentication indicator;” and “transmitting…the authentication response to the authentication requestor.” These functions correspond to the actions required to perform the abstract idea. Viewed as a whole, the combination of elements recited in the claims merely recite the concept of transaction processing with fraud risk assessment. Therefore, the use of these additional elements does no more than employ the computer as a tool to automate and/or implement the abstract idea. The use of a computer or processor to merely automate and/or implement the abstract idea cannot provide significantly more than the abstract idea itself (MPEP 2106.05 (f) & (h)). Therefore, the claim is not patent eligible.
Dependent claims 2-11, 13-19 further describe the abstract idea of transaction processing with fraud risk assessment. The dependent claims do not include additional elements that integrate the abstract idea into a practical application or that provide significantly more than the abstract idea.  For example, additional limitation, “…setting a value in the authentication response that represents a strength of a verification result for the transaction based at least in part on the prior authentication method on the account identifier and the current authentication method for the account identifier” as recited in claim 7, further recite the abstract idea of purchase transaction processing with fraudulent risk assessment.  With respect to claims 2-3, 13-14, the additional elements “generating, by a service provider application, a set intent message that includes a user identifier, a service provider payment account identifier, and transaction data for the transaction” of claims 2 and 13, “generating, by the service provider application, an attestation signature for the transaction based at least in part on input provided by the user associated with the transaction” of claims 3 and 14, these additional elements does not improve the functioning of a computer nor does it improve a technology or technical field. Therefore, the dependent claims are also not patent eligible. Viewed as a whole, the combination of elements recited in the claims merely recite the concept of transaction processing with fraudulent risk assessment. Therefore, the use of these additional elements does no more than employ the computer as a tool to automate and/or implement the abstract idea. The use of a computer or processor to merely automate and/or implement the abstract idea cannot provide significantly more than the abstract idea itself (MPEP 2106.05 (f) & (h)). Therefore, the claim is not patent eligible.
Claim 20
The claim recites transaction processing with verification. Specifically, the claim recites “receiving…from an authentication requestor, an authentication request comprising an account identifier, and information regarding a prior authentication method on the account identifier and a current authentication method for the account identifier associated with a transaction, the current authentication method for the account identifier including a signature for the transaction;” “verifying…the signature of the information;” “modifying…an authentication response to include the verification of the signature;” and “transmitting… the authentication response to the authentication requestor thereby bypassing an access control [resource] for the transaction,” which is grouped within the “Certain methods of organizing human activity” grouping of abstract ideas in prong one of step 2A of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 54 (January 7, 2019)) because the claims describe a process of receiving a request for processing a transaction, verifying signature of the transaction, providing and sending a response based on the verification, which is a commercial interaction. Accordingly, the claim recites an abstract idea (See pages 7, 10, Alice Corporation Pty. Ltd. v. CLS Bank International, et al., US Supreme Court, No. 13-298, June 19, 2014; 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 53-54 (January 7, 2019)).
This judicial exception is not integrated into a practical application because, when analyzed under prong two of step 2A of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 54-55 (January 7, 2019)), the additional element(s) of the claim such as a directory server, a processor, a computer readable medium and a access control server, merely use a computer as a tool to perform an abstract idea and/or generally link the user of a judicial exception to a particular technological environment. Specifically, these additional elements perform the steps or functions of “receiving…from an authentication requestor, an authentication request comprising an account identifier, and information regarding a prior authentication method on the account identifier and a current authentication method for the account identifier associated with a transaction, the current authentication method for the account identifier including a signature for the transaction;” “verifying…the signature of the information;” “modifying…an authentication response to include the verification of the signature;” and “transmitting… the authentication response to the authentication requestor thereby bypassing an access control [resource] for the transaction.”  The use of a processor/computer as a tool to implement the abstract idea and/or generally link the use of the abstract idea to a particular technological environment  does not integrate the abstract idea into a practical application because it requires no more than a computer performing functions that correspond to acts required to carry out the abstract idea. The additional elements do not involve improvements to the functioning of a computer, or to any other technology or technical field (MPEP 2106.05(a)), the claims do not apply or use the abstract idea to effect a particular treatment or prophylaxis for a disease or medical condition (Vanda Memo), the claims do not apply the abstract idea with, or by use of, a particular machine (MPEP 2106.05(b)), the claims do not effect a transformation or reduction of a particular article to a different state or thing (MPEP 2106.05(c)), and the claims do not apply or use the abstract idea in some other meaningful way beyond generally linking the use of the abstract idea to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception (MPEP 2106.05(e) and Vanda Memo). Therefore, the claims do not, for example, purport to improve the functioning of a computer. Nor do they effect an improvement in any other technology or technical field. Accordingly, the additional elements do not impose any meaningful limits on practicing the abstract idea, and the claims are directed to an abstract idea.
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when analyzed under step 2B of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 56 (January 7, 2019)), the additional elements of using a directory server, a processor, a computer readable medium and an access control server,  to perform the steps amounts to no more than using a computer or processor to automate and/or implement the abstract idea of transaction processing with verification. As discussed above, taking the claim elements separately, these additional elements perform(s) the steps or functions of “receiving…from an authentication requestor, an authentication request comprising an account identifier, and information regarding a prior authentication method on the account identifier and a current authentication method for the account identifier associated with a transaction, the current authentication method for the account identifier including a signature for the transaction;” “verifying…the signature of the information;” “modifying…an authentication response to include the verification of the signature;” and “transmitting… the authentication response to the authentication requestor thereby bypassing an access control [resource] for the transaction.”  These functions correspond to the actions required to perform the abstract idea. Viewed as a whole, the combination of elements recited in the claims merely recite the concept of transaction processing with verification. Therefore, the use of these additional elements does no more than employ the computer as a tool to automate and/or implement the abstract idea. The use of a computer or processor to merely automate and/or implement the abstract idea cannot provide significantly more than the abstract idea itself (MPEP 2106.05 (f) & (h)). Therefore, the claim is not patent eligible.

Claim Rejections – 35 USC §112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 4, 14-15 and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. 
Unclear Scope
Claim 4 recites “The computer-implemented method of 3, further comprising generating, by the service provider application, an attestation signature for the transaction based at least in part on input provided by the user associated with the transaction.” Paragraph [0068] of the specification (PGPub 2021/0035107A1) recites:
[0068] At step 11, after receiving the update intent message from the service provider application 108, the service provider computer 110 may sign the transaction for attestation,
resulting in a service provider signature…

The specification describes the service provider computer 110 signs the transaction for attestation. The specification does not describe the service provider application generates an attestation signature for the transaction. Therefore, the claim is unclear because the claim is not inline with the specification. An essential purpose of patent examination is to fashion claims that are precise, clear, correct, and unambiguous. Only in this way can uncertainties of claim scope be removed (See In re Zletz, 893 F.2d 319,321 (Fed. Cir. 1989)).
Claim 14 recites “The access control server of claim 12, wherein the method further comprises generating, by a service provider application associated with the account identifier, a set intent message that includes a user identifier, a service provider payment account identifier, and transaction data for the transaction.”” Claim 12, which claim 14 depends on, is directed to an access control server comprising a processor and a computer readable medium coupled to the processor.  However, the claim is silent on whether the claimed access control server comprises “a service provider application.” The specification describes the user device include the service provider application 108 (e.g., a digital wallet application (paragraph [0048] of PGPub 2021/0035107A1). The specification does not describe the claimed access control server includes “a service provider application” nor does the specification describes the access control server generating a set intent message. Therefore, the claim is unclear because the claim is not inline with the specification. An essential purpose of patent examination is to fashion claims that are precise, clear, correct, and unambiguous. Only in this way can uncertainties of claim scope be removed (See In re Zletz, 893 F.2d 319,321 (Fed. Cir. 1989)). 
Claim 15 recites “The access control server of claim 14…generating, by the service provider application an attestation signature…” Claim 12, which claim 15 depend on, is directed to an access control server comprising a processor and a computer readable medium coupled to the processor. Paragraph [0068] of the specification (PGPub 2021/0035107A1) recites:
[0068] At step 11, after receiving the update intent message from the service provider application 108, the service provider computer 110 may sign the transaction for attestation,
resulting in a service provider signature…

The specification describes the service provider computer 110 signs the transaction for attestation. The specification does not describe the access control server or the service provider application generating an attestation signature for the transaction. Therefore, the claim is unclear because the claim is not inline with the specification. An essential purpose of patent examination is to fashion claims that are precise, clear, correct, and unambiguous. Only in this way can uncertainties of claim scope be removed (See In re Zletz, 893 F.2d 319,321 (Fed. Cir. 1989)).
Claim 20 recites “modifying, by the access control server, an authentication response to include the verification of the signature; and transmitting, by the directory server, the authentication response to the authentication requestor thereby bypassing an access control server for the transaction.” Paragraphs [0091] and [0092] of the specification (PGPub 2021/0035107A1) recites:
[0091] At step 11, the access control server 116 may generate an online authentication process reply including the CAVV and an ECI5. The access control server 116 may then
transmit the online authentication process reply to the directory server 114…

[0092] At step 12, after receiving the online authentication process reply, the directory server 114 may forward the online authentication process reply to the processor computer
112.


The specification describes the directory server 114 receives the online authentication reply generated by the access control server 116, and the directory server 114 transmits the online authentication process reply to the processor computer 112. The specification does not describe the directory server 114 performs the step of modifying an authentication response to include the verification of the signature. Therefore, the claim is unclear because the claim is not inline with the specification. An essential purpose of patent examination is to fashion claims that are precise, clear, correct, and unambiguous. Only in this way can uncertainties of claim scope be removed (See In re Zletz, 893 F.2d 319,321 (Fed. Cir. 1989)). 

Claim Rejections – 35 USC §102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-3, 5-6, 8-14, 16-17, 19 are rejected are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Leyva R. (US 2016/0180333A1 (“Leyva”)).
Regarding claims 1 and 12, Leyva teaches a computer-implemented method comprising:
receiving, by an access control server via a directory server from an authentication requestor (Leyva: Fig. 1,  'Access Control Server Computer 112', Fig. 2, step 210, Fig. 5, step 506; ¶¶9, 34, 53, 98), an authentication request comprising an account identifier, and information regarding a prior authentication method on the account identifier and a current authentication method for the account identifier associated with a transaction (Leyva: ¶¶28-29, 34-35, 66-67, 75,78, 98);
performing, by the access control server, a risk analysis for the transaction based at least in part on the information and a threshold; (Leyva: Fig. 2, step 212, Fig. 5, step 510/512; ¶¶68, 100-101, 102-104)
authenticating, by the access control server, a user of the account identifier using the information, the account identifier, and a result of the risk analysis; (Leyva: Fig. 2, step 212, Fig. 5, step 512; ¶¶55, 68, 102-103)
modifying, by the access control server, an authentication response to include an authentication indicator; and (Leyva: Fig. 2, step 212, Fig. 5, step 508; ¶¶37, 70, 99)
transmitting, by the access control server, the authentication response to the authentication requestor. (Leyva: Fig. 2, step 214, Fig. 5, steps 508/510; ¶¶70-72, 99)
Additionally, for claim 12, Leyva teaches:
An access control server comprising: a processor; and a computer readable medium coupled to the processor, the computer readable medium comprising code, executable by the processor, to implement a method comprising (Leyva: Fig. 1, ‘Access Control Server Computer 112’, Fig. 8; ¶¶55, 127)…
Regarding claims 2 and 13, Leyva teaches the computer-implemented method of claim 1 and the access control server of claim 12, as claim 2 being dependent of claim 1 and claim 13 being dependent of claim 12. Furthermore,
Leyva teaches:
wherein the information further includes transaction data for the transaction and personal information for the user associated with the transaction. (Leyva: ¶¶28-29, 34-35, 67, 108)
Regarding claims 3 and 14, Leyva teaches the computer-implemented method of claim 1 and the access control server of claim 12, as claim 3 being dependent of claim 1 and claim 14 being dependent of claim 12. Furthermore,
Leyva teaches the computer-implemented method further comprising:
generating, by a service provider application associated with the account identifier, a set intent message that includes a user identifier, a service provider payment account identifier, and transaction data for the transaction. (Leyva: Fig. 6 'Wallet Server Computer 106', Fig. 6, step 604; ¶¶51, 109)
Regarding claims 5 and 16, Leyva teaches the computer-implemented method of claim 1 and the access control server of claim 12, as claim 5 being dependent of claim 1 and claim 16 being dependent of claim 12. 
Leyva teaches further comprising:
wherein the information regarding the prior authentication method on the account identifier and the current authentication method for the account identifier are represented by one or more values that are appended to a message associated with the authentication request. (Leyva: ¶¶66-67, 98)
Regarding claims 6 and 17, Leyva teaches the computer-implemented method of claim 1 and the access control server of claim 12, as claim 6 being dependent of claim 5 and claim 17 being dependent of claim 16. Furthermore,
Leyva teaches the computer-implemented method further comprising:
wherein a value of the one or more value represents a unique type of authentication provided by a processing network. (Leyva: ¶¶66-67, 98)
Regarding claim 8, Leyva teaches the computer-implemented method of claim 1, as claim 8 being dependent of claim 1. Furthermore,
Leyva teaches:
wherein the current authentication method for the account identifier associated with the transaction is performed by a service provider application associated with the account identifier and the transaction. (Leyva: ¶¶28-29, 50, 66-67)
Regarding claim 9, Leyva teaches the computer-implemented method of claim 1, as claim 9 being dependent of claim 1. Furthermore,
Leyva teaches:
wherein the current authentication method includes at least one of a first login to an account using an authorizing entity authentication process, a second login to the account through a service provider application authentication process, or a third login to the account using a third party authentication process. (Leyva: Fig. 7; ¶¶28-29, 66, 118-119)
Regarding claim 10, Leyva teaches the computer-implemented method of claim 1, as claim 10 being dependent of claim 1. Furthermore,
Leyva teaches:
wherein the prior authentication method includes at least one of a billing address verification process, a online authentication process risk based analysis using device information from a user device associated with the transaction process, a online authentication process challenge process that includes a usemame and password login provisioning, a tokenization process, or an issuer inline provisioning process. (Leyva: ¶¶101, 121, 108-109)
Regarding claims 11 and 19, Leyva teaches the computer-implemented method of claim 1 and the access control server of claim 12, as claim 11 being dependent of claim 1 and claim 19 being dependent of claim 12. Furthermore,
Leyva teaches the computer-implemented method further comprising:
wherein the result of the risk analysis includes a negative verification of the transaction in response to a determination that the risk analysis for the transaction is less than the threshold, or a positive verification of the transaction in response to a determination that the risk analysis for the transaction is greater than the threshold. (Leyva: ¶115)

Claim Rejections – 35 USC §103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 4 and 15 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Leyva as applied to claims 1 and 12 in further view of Bouch A. (NPL: 3-D Secure: A critical review of 3-D Secure and its effectiveness in preventing card not present fraud, Royal Holloway University of London, March 2011 (“Bouch”)).
Regarding claims 4 and 15, Leyva teaches the computer-implemented method of claim 1 and the access control server of claim 12, as claim 4 being dependent of claim 3 and claim 15 being dependent of claim 14. Furthermore,
Leyva does not explicitly teach the following limitation, however in the same field of endeavor, Bouch teaches:
generating, by the service provider application, an attestation signature for the transaction based at least in part on input provided by the user associated with the transaction. (Bouch: Chapter 3:3-D Secure, page 42, step 2)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system of Leyva to incorporate the teaching of the service provider application generating an attestation signature for the transaction, as disclosed in Bouch, to facilitate a safe and convenient e-commerce experience (Bouch: page iv).
Claims 7 and 18 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Leyva as applied to claims 1 and 12 in further view of Dimmick J. (US 2015/0046340A1 (“Dimmick”)).
Regarding claims 7 and 18, Leyva teaches the computer-implemented method of claim 1 and the access control server of claim 12, as claim 7 being dependent of claim 1 and claim 18 being dependent of claim 12 and . 
Leyva teaches modifying the authentication response to include the authentication indicator (Leyva: Fig. 2, step 212, Fig. 5, step 508; ¶¶37, 70, 99).
However, Leyva does not explicitly teach the following limitation, however in the same field of endeavor, Dimmick teaches:
setting a value in the authentication response that represents a strength of a verification result for the transaction based at least in part on the prior authentication method on the account identifier and the current authentication method for the account identifier. (Dimmick: ¶¶25, 75)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system of Leyva to incorporate the teaching of setting a value in the authentication response, as disclosed in Dimmick, to provide minimal transaction times for the majority of transactions (Dimmick: ¶136).
Claim 20 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Leyva R. (US 2016/0180333A1 (“Leyva”)) in view of Bouch A. (NPL: 3-D Secure: A critical review of 3-D Secure and its effectiveness in preventing card not present fraud, Royal Holloway University of London, March 2011 (“Bouch”)), and Kakehi R. (US 7,840,815B2 (“Kakehi”)).
Regarding claim 20, Leyva teaches a directory server (Leyva: Fig. 1, 'Directory Server Computer 110’) comprising:
a processor; and a computer readable medium coupled to the processor, the computer readable medium comprising code, executable by the processor, to implement a method comprising: (Leyva: Fig. 1, 'Directory Server Computer 110'; Fig. 8; ¶127)
receiving, by the directory server from an authentication requestor, an authentication request comprising an account identifier, and information regarding a prior authentication method on the account identifier and a current authentication method for the account identifier associated with a transaction, the current authentication method for the account identifier (Leyva: ¶93)…
verifying, by the directory server, … the information; (Leyva: ¶110)
modifying, by the directory server, an authentication response to include the verification (Leyva: ¶111)…
transmitting, by the directory server, the authentication response to the authentication requestor thereby bypassing an access control server for the transaction (Leyva: ¶¶93, 111).
However, Leyva does not teach a signature included in the request. Bouch teaches a signature included in the request. (Bouch: Chapter 3:3-D Secure, page 42, step 2).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the directory server of Leyva to incorporate the teaching of  a signature included in request, as disclosed in Bouch, to facilitate a safe and convenient e-commerce experience (Bouch: page iv).
Leyva teaches the directory server performing message verification (Leyva: ¶110). However, Leyva does not explicitly teach the server verifying the signature of the information. 
Kakehi teaches the server verifying the signature of the information and reporting the verification result of the signature (Kakehi: Fig. 9, ‘Signature Verification Unit 52’, ‘Verification Result Notification Unit’; 4:4-8, 4:44-47, 7:12-15) 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the directory server of Leyva in view of Bouch to incorporate the support of signature verification and verification result reporting, as disclosed in Kakehi, for confirming the integrity of the message (Kakehi: 1:44-45).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Dominguez B. (US 2011/0196791A1) teaches authentication process with risk management.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENYUH KUO whose telephone number is (571)272-5616.  The examiner can normally be reached on Monday-Friday 8-4 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John W. Hayes can be reached on (571)272-6708.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/C.K./Examiner, Art Unit 3685 

/JOHN W HAYES/Supervisory Patent Examiner, Art Unit 3685