DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 3/10/2016 and 1/22/2017 were in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner.

Status of Claims
This action is in reply to the application filed on 1/31/2019, wherein:
Claims 2, 4-6, 8-12, and 14 have been amended;
Claims 1, 3, 7, and 13 remain as original;
Claims 16-20 are new; and
Claims 1-20 are currently pending and have been examined.

Claim Objections
Claims 2, 7-9, 11, 13, and 14 are objected to because of the following informalities:  
The limitation of claim 2 for “wherein at least one of: computing (89) the dynamic security code; sending (90) the dynamic security code; are only performed if the message comprising the time is determined to be authentic” is confusing because it is unclear which limitations are part of the “at least one of” limitation.  It is believed that the limitation should be: “wherein at least one of: computing (89) the dynamic security code; and sending (90) the dynamic security code; are only performed if the message comprising the time is determined to be authentic”.  Appropriate correction is required. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claim 9 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 9 recites the limitation “the time server”.  There is insufficient antecedent basis for this limitation in the claim because independent claim 7 does not include a reference to a time server.  For purposes of examination, the limitation “the time server” in claim 9 is interpreted as “the time source” in claim 7.
    
The rejections that follow are interpreted in light of the 35 USC 112 rejections discussed above.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  The claims recite a system, method, card, and device for generating a dynamic security code for a card transaction which is considered a judicial exception because it falls under Certain Methods of Organizing Human Activity such as fundamental economic principles or practices, including mitigating risk.  This judicial exception is not integrated into a practical application as discussed below and the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception as discussed below.
This rejection follows the 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed Reg 4, January 7, 2019, pp. 50-57 (“2019 PEG”).  

Analysis
Step 1 (Statutory Categories) – 2019 PEG pg. 53
Claims 1-20 are directed to the statutory category of a process.  

Step 2A, Prong 1 (Do the claims recite an abstract idea?) – 2019 PEG pg. 54
For independent claim 1, the claim recites an abstract idea of generating a dynamic security code for a card transaction.  The steps of: receiving a request to generate a dynamic security code; receiving a message comprising a time; computing the dynamic security code based on the time and a key stored at the card; and sending the dynamic security code to the electronic device, when considered collectively as an ordered combination recites the abstract idea of generating a dynamic security code for a card transaction.       
For independent claim 7, the claim recites an abstract idea of generating a dynamic security code for a card transaction.  The steps of: receiving a user request to generate a dynamic security code; sending a request to generate a dynamic security code, sending a time request to a time source external to the electronic device; receiving a message comprising a time from the time source; sending the message comprising the time to the card; receiving the dynamic security code from the card; wherein a value of the dynamic security code is based on the time; and causing the dynamic security code to be displayed, when considered collectively as an ordered combination recites the abstract idea of generating a dynamic security code for a card transaction.   
For independent claim 13, the claim recites an abstract idea of generating a dynamic security code for a card transaction.  The steps of: store a key, receive a request to generate a dynamic security code; receive a message comprising a time; compute the dynamic security code based on the time and a stored key; and send the dynamic security code to the electronic device, when considered collectively as an ordered combination recites the abstract idea of generating a dynamic security code for a card transaction. 
For independent claim 15, the claim recites an abstract idea of generating a dynamic security code for a card transaction.  The steps of: receive a user request to generate a dynamic security code; send a request to generate a dynamic security code, send a time request to a time source external to the electronic device; receive a message comprising a time from the time source; send the message comprising the time to the card; receive the dynamic security code from the card; and cause the dynamic security code to be displayed, when considered collectively as an ordered combination recites the abstract idea of generating a dynamic security code for a card transaction.   
Independent claims 1, 7, 13, and 15, as drafted, are a process that, under the broadest reasonable interpretation, covers Certain Methods of Organizing Human Activity, since they recite fundamental economic principles or practices including mitigating risk.  For independent claim 1, the steps of: receiving a request to generate a dynamic security code; receiving a message comprising a time; computing the dynamic security code based on the time and a key stored at the card; and sending the dynamic security code to the electronic device, considered collectively as an ordered combination, is a process that, under the broadest reasonable interpretation, covers Certain Methods of Organizing Human Activity such as fundamental economic principles or practices of mitigating risk.  Based on similar reasoning and rationale, the steps of Independent claim 7, 13, and 15 also recite Certain Methods of Organizing Human Activity.  Hence all the steps of the claim, considered collectively as an ordered combination, fall under the abstract idea of Certain Methods of Organizing Human Activity.  If the claim limitations, under the broadest reasonable interpretation, covers Certain Methods of Organizing Human Activity, but for the recitation of generic computer components, then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas.  Other than reciting the abstract idea, the independent claims recite additional elements including generic computer components such as “an electronic device external to the card, an external card interface, a device to card interface, a time source external to the electronic device, the card, a display of the user electronic device, a card comprising a secure element with a processor and storage configured to store a key; a dynamic security code, the electronic device comprising a processor, storage, a device to card interface, a user input device, and a display”, and nothing in the claims precludes the steps from being performed Certain Methods of Organizing Human Activity.  Accordingly, the claims recite an abstract idea.  
Dependent claims 2-6, 8-12, 14, and 16-20 recite similar limitations as independent claims 1, 7, 13, and 15; and when analyzed as a whole are held to be patent ineligible under 35 U.S.C 101 because the additional recited limitations only refine the abstract idea further.  For instance in claims 2-4, 14, and 16, the additional abstract ideas of: determining an authenticity of the message comprising the time; at least one of computing the dynamic security code and sending the dynamic security are only performed if the message comprising the time is determined to be authentic; wherein the message comprising the time comprises a Message Authentication Code, MAC and determining an authenticity of the message comprises computing a Message Authentication Code at the card using a key stored at the card; and comparing the computed Message Authentication Code with the Message Authentication Code in the received message, under the broadest reasonable interpretation, are further refinements of methods of organizing human activity such as fundamental economic principles or practices including mitigating risk because these describe the intermediate steps of the underlying process for mitigating risk of the transaction.
In claims 5, 6, 8-11, and 17-20, the limitations of: stores an identifier (ID) which identifies a time key (time-key ID) used to authenticate the message, receiving a request for the identifier, and sending the identifier; receiving a personal identification number, determining if the personal identification number is correct; and only computing the dynamic security codes if the personal identification number is determined to be correct; sending a request for an identifier to the card; display a request for a personal identification number; receiving a PIN entered by a user, sending the PIN to the card; storing a plurality of identifiers with each identify a key used to authenticate the message comprising the time for each of the cards; display an invitation for user input to select one of the plurality of cards; receiving user input selecting one of the cards; retrieving the identifier for the selected card; and sending the retrieved identifier to the time source with the time request, are further refinements of methods of organizing human activity such as fundamental economic principles or practices including mitigating risk because they describe variations for mitigating risk for a transaction.
in claim 12, the limitations of: wherein at least one of the of the external card interface and the device to card interface is a near field communication, NFC, interface, under the broadest reasonable interpretation, are further refinements of methods of organizing human activity such as fundamental economic principles or practices including mitigating risk because these describe the interface.
Other than reciting the abstract idea, the dependent claims recite similar additional elements, including generic computer components, as the independent claims, such as “a Message Authentication Code, MAC, a key stored at the card, the card stores an identifier ID, a time key stored at the card, the external card interface, the electronic device, a PIN, a dynamic security code, the device to card interface, the time server, the display of the electronic device, a user input device of the electronic device, plurality of different cards, a plurality of identifiers, the time source, a near field communication, NFC, interface, and a secure element of the card”.  If a claim limitation, under its broadest reasonable interpretation, covers fundamental economic principles or practices including mitigating risk, but for the recitation of generic computer components, then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas.

Step 2A, Prong 2 (Does the claim recite additional elements that integrate the judicial exception into a practical application?) – 2019 PEG pg. 54
This judicial exception is not integrated into a practical application.  In particular, independent claims 1, 7, 13, and 15 only recite the additional elements of “an electronic device external to the card, an external card interface, a device to card interface, a time source external to the electronic device, the card, a display of the user electronic device, a card comprising a secure element with a processor and storage configured to store a key; a dynamic security code, the electronic device comprising a processor, storage, a device to card interface, a user input device, and a display”.  A plain reading of Figures 1, 2, and 11-13, and associated descriptions in at least: page 4 of the specification stating “card 35 can be a payment card, such as a debit card or credit card…card comprises a secure element 310…secure element 310 comprises a processor 312 and storage 313…secure element 310 may be Europay, MasterCard and Visa (EMV compliant)”; page 8 of the specification stating “examples of the host device 10 are a smart phone, a tablet, a personal computer (PC), or any other suitable computing device”, reveals that generic processors may be used to execute the claimed steps.  The additional elements of “an electronic device external to the card, an external card interface, a device to card interface, a time source external to the electronic device, the card, a display of the user electronic device, a card comprising a secure element with a processor and storage configured to store a key; a dynamic security code, the electronic device comprising a processor, storage, a device to card interface, a user input device, and a display” are recited at a high level of generality (i.e., as a generic processor performing generic computer functions) such that it amounts to no more than mere instructions to apply the exception using generic computer components (See MPEP 2106.05(f)) and limits the judicial exception to a particular environment (See MPEP 2106.05(h)).  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.  Hence, independent claims 1, 7, 13, and 15 are directed to an abstract idea. 
Dependent claims 2-6, 8-12, 14, and 16-20, recite similar generic computer components as the independent claims, such as: “a Message Authentication Code, MAC, a key stored at the card, the card stores an identifier ID, a time key stored at the card, the external card interface, the electronic device, a PIN, a dynamic security code, the device to card interface, the time server, the display of the electronic device, a user input device of the electronic device, plurality of different cards, a plurality of identifiers, the time source, a near field communication, NFC, interface, and a secure element of the card”.  The judicial exception is not integrated into a practical application because the additional elements in the dependent claims are also recited at a high-level of generality such that it amounts to more no more than mere instructions to apply the exception using generic computer components.  Therefore, the additional elements do not integrate the abstract idea into a practical application because they also do not impose any meaningful limits on practicing the abstract idea.  Also the claims do not affect an improvement to another technology or technical field; the claims do not amount to an improvement of the functioning of a computer system itself; the claims do not effect a transformation or reduction of a particular article to a different state or thing; and the claims do not move beyond a general link of the use of an abstract idea to a particular technological environment.   

Step 2B – 2019 PEG pg. 56
Independent claims 1, 7, 13, and 15, do not include additional elements that are sufficient to amount to significantly more than the judicial exception.  As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of “an electronic device external to the card, an external card interface, a device to card interface, a time source external to the electronic device, the card, a display of the user electronic device, a card comprising a secure element with a processor and storage configured to store a key; a dynamic security code, the electronic device comprising a processor, storage, a device to card interface, a user input device, and a display” to perform the steps of independent claim 1 for: receiving a request to generate a dynamic security code; receiving a message comprising a time; computing the dynamic security code based on the time and a key stored at the card; and sending the dynamic security code to the electronic device, and based on similar reasoning and rationale for the steps of independent claims 7, 13, and 15, amounts to no more than mere instructions to apply the exception using a generic computer component (See MPEP 2106.05(f)) and limits the judicial exception to the particular environment of computers (See MPEP 2106.05(h)).  The additional elements of the instant underlying process, when taken in combination, together do not offer substantially more than the sum of the function of the elements when each is taken alone.  Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.  
Further, MPEP 2106.05(d)(ii) provides that receiving and transmitting data over a network (see buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355, 112 USPQ2d 1093, 1096 (Fed. Cir. 2014) (computer receives and sends information over a network)); are well-understood routine and conventional, similar to the instant application claims which recite: “receiving a request to generate a dynamic security code…, receiving a message comprising a time…, sending the dynamic security code to the electronic device…, sending a request to generate a dynamic security code…, sending a time request…, sending the message comprising the time to the card…, receiving the dynamic security code from the card…, receiving…a request for the identifier, and sending the identifier…”.  Furthermore, MPEP 2106.05(d)(ii) provides that performing repetitive calculations (see Flook, 437 U.S. at 594, 198 USPQ2d at 199 (recomputing or readjusting alarm limit values), and Bancorp Services v. Sun Life, 687 F.3d 1266, 1278, 103 USPQ2d 1425, 1433 (Fed. Cir. 2012) (“The computer required by some of Bancorp’s claims is employed only for its most basic function, the performance of repetitive calculations, and as such does not impose meaningful limits on the scope of those claims”)) are well-understood, routine, conventional activity, similar to the claimed limitations of the independent claims for: “computing…”.  Furthermore, the steps for “causing the dynamic security code to be displayed…” are merely presenting results of an analysis akin to Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016) and are only generally linking the use of the judicial exception to a particular technological environment (see MPEP 2106.05(h)).  Therefore, independent claims 1, 7, 13, and 15 are not patent eligible.  
In addition, the dependent claims 2-6, 8-12, 14, and 16-20 do not include additional elements that are sufficient to amount to significantly more than the judicial exception.  As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of dependent claims of: “a Message Authentication Code, MAC, a key stored at the card, the card stores an identifier ID, a time key stored at the card, the external card interface, the electronic device, a PIN, a dynamic security code, the device to card interface, the time server, the display of the electronic device, a user input device of the electronic device, plurality of different cards, a plurality of identifiers, the time source, a near field communication, NFC, interface, and a secure element of the card”, to perform the claimed limitations, amounts to no more than mere instructions to apply the exception using a generic computer component (See MPEP 2106.05(f)).  Similar to the independent claims, mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.  Also for the same reasoning as the independent claims, the additional elements of the limitations of the dependent claims, when considered individually and as an ordered combination, together do not offer significantly more than the sum of the functions of the elements when each is taken alone and the dependent claims as a whole, do not amount to significantly more than the abstract idea itself.  For these reasons, dependent claims 2-6, 8-12, 14, and 16-20 also are not patent eligible under 35 U.S.C. 101.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


6.	Claims 1-4, 6, 16, 19, and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by WO 2014022778 to Coulier et al. (hereinafter referred to as Coulier).

In regards to claim 1, Coulier discloses a method of generating a dynamic security code (cryptographically generate a dynamic security value, para. 00139) for a card transaction (system authenticates users to authenticate transactions submitted by users to an application, para. 00106), the method comprising at the card (user authentication device 240 may comprise a removable security device 395 which may comprise a smart card or SIM, and smart card may comprise an EMV (Europay-Mastercard-Visa) card, para. 00149):  receiving a request to generate a dynamic security code from an electronic device external to the card (The access device obtains the Authentication Initiating message and emits a signal encoding the messages which is captured by the user authentication device, para. 00169) via an external card interface (the emitted signal is captured at the user authentication device and decoded to obtain the Authentication Initiation Message 435, para. 00170, paras. 00148-00149); receiving a message comprising a time (dynamic variable may comprise a time related value and may be a data element comprised in the Authentication Initiating Message received from the server-based application, para. 0054) via the external card interface (communication interface 390 to exchange data, messages, commands and responses between the user authentication device 240 and the security device 395, para. 0148); computing (user authentication device delegates some of the cryptographic calculations for generating the dynamic security value to the removable security device, para. 00148) the dynamic security code (The user authentication device processes the Authentication Initiating Message and generates a Response Message 440 comprising a dynamic security value, para. 00173) based on the time (the user authentication device uses a time-related value in the calculation of the dynamic security value, para. 00211) and a key (dynamic security value generated by the authentication device may be generated by cryptographically combining at least one secret value such as a cryptographic key with at least one dynamic variable such as a time value, para. 0017) stored at the card (removable security device may securely store and handle secret keys and perform certain cryptographic calculations, para. 00148); sending the dynamic security code to the electronic device via the external card interface (the Response Message is presented to the user authentication device to the user by means of the user output interface which the user may copy to the access device to send to the authentication server, para. 00199).  
  
In regards to claim 2, Coulier discloses the method according to claim 1, and further discloses a method comprising determining an authenticity (the authentication device generates the dynamic security value on condition that verification of the server credential was successful, para. 0054) of the message comprising the time (the application identifier is cryptographically linked by a server credential such as a MAC to other data elements such as a challenge or a session identifier in the Authentication Initiating Message which after successful verification of the server credential, the user authentication device uses as input in the cryptographic algorithm for the generation of the dynamic security value, para. 00227).

In regards to claim 3, Coulier discloses the method according to claim 1, and further discloses wherein at least one of: computing the dynamic security code (dynamic security value generated by the authentication device may be generated by cryptographically combining at least one secret value such as a cryptographic key with at least one dynamic variable such as a time value, para. 0017); sending the dynamic security code; are only performed if the message comprising the time (the application identifier is cryptographically linked by a server credential such as a MAC to other data elements such as a challenge or a session identifier in the Authentication Initiating Message which after successful verification of the server credential, the user authentication device uses as input in the cryptographic algorithm for the generation of the dynamic security value, para. 00227) is determined to be authentic (the authentication device generates the dynamic security value on condition that verification of the server credential was successful, para. 0054).

In regards to claim 4, Coulier discloses the method according to claim 2 and further discloses wherein the message comprising the time (dynamic variable may comprise a time related value and may be a data element comprised in the Authentication Initiating Message received from the server-based application, para. 0054) comprises a Message Authentication Code, MAC (in some embodiments the server credential comprises a MAC (message authentication code) and the user authentication device may compute a reference value for the MAC and compare the reference value with the received server credential, para. 00120), and determining an authenticity of the message (the input data may comprise a server credential and the authentication device verifies the server credential prior to generating the dynamic security value, para. 0054) comprises: computing a Message Authentication Code at the card (in some embodiments the server credential comprises a MAC (message authentication code) and the user authentication device may compute a reference value for the MAC and compare the reference value with the received server credential, para. 00120) using a key stored at the card (In some embodiments the verification of the server credential is done using a symmetric cryptographic algorithm that uses a secret key shared with the server, para. 0027); and comparing the computed Message Authentication Code with the Message Authentication Code in the received message (the application identifier is cryptographically linked by a server credential such as a MAC to other data elements such as a challenge or a session identifier in the Authentication Initiating Message which after successful verification of the server credential, the user authentication device uses as input in the cryptographic algorithm for the generation of the dynamic security value, para. 00228).  

In regards to claim 6, Coulier discloses the method according to claim 1, and further discloses comprising: receiving a personal identification number, PIN, from the electronic device (the authentication device is adapted to receive a PIN provided by the user and pass the PI to a smart card for verification, para. 0020) via the external card interface (user authentication device 240 may comprise a removable security device 395 which may comprise a smart card or SIM, and smart card may comprise an EMV (Europay-Mastercard-Visa) card, para. 00149); determining if the personal identification number is correct (authentication device may deem the PIN or password verification successful if the PIN or password value provided by the user matches the stored reference value, para. 00136); and only computing the dynamic security code if the personal identification number is determined to be correct (user authentication device is adapted to abort the generation of the Response Message if the PIN or password verification fails, para. 00136).

In regards to claim 16, Coulier discloses the method according to claim 3, and further discloses wherein the message comprising the time (dynamic variable may comprise a time related value and may be a data element comprised in the Authentication Initiating Message received from the server-based application, para. 0054) comprises a Message Authentication Code, MAC (in some embodiments the server credential comprises a MAC (message authentication code) and the user authentication device may compute a reference value for the MAC and compare the reference value with the received server credential, para. 00120), and determining an authenticity of the message (the input data may comprise a server credential and the authentication device verifies the server credential prior to generating the dynamic security value, para. 0054) comprises: computing a Message Authentication Code at the card (in some embodiments the server credential comprises a MAC (message authentication code) and the user authentication device may compute a reference value for the MAC and compare the reference value with the received server credential, para. 00120) using a key stored at the card (In some embodiments the verification of the server credential is done using a symmetric cryptographic algorithm that uses a secret key shared with the server, para. 0027); and comparing the computed Message Authentication Code with the Message Authentication Code in the received message (the application identifier is cryptographically linked by a server credential such as a MAC to other data elements such as a challenge or a session identifier in the Authentication Initiating Message which after successful verification of the server credential, the user authentication device uses as input in the cryptographic algorithm for the generation of the dynamic security value, para. 00228).  
In regards to claim 19, Coulier discloses the method according to claim 2, and further discloses receiving a personal identification number, PIN, from the electronic device (the authentication device is adapted to receive a PIN provided by the user and pass the PI to a smart card for verification, para. 0020) via the external card interface (user authentication device 240 may comprise a removable security device 395 which may comprise a smart card or SIM, and smart card may comprise an EMV (Europay-Mastercard-Visa) card, para. 00149); determining if the personal identification number is correct (authentication device may deem the PIN or password verification successful if the PIN or password value provided by the user matches the stored reference value, para. 00136); and only computing the dynamic security code if the personal identification number is determined to be correct (user authentication device is adapted to abort the generation of the Response Message if the PIN or password verification fails, para. 00136).

In regards to claim 20, Coulier discloses the method according to claim 3, and further discloses receiving a personal identification number, PIN, from the electronic device (the authentication device is adapted to receive a PIN provided by the user and pass the PI to a smart card for verification, para. 0020) via the external card interface (user authentication device 240 may comprise a removable security device 395 which may comprise a smart card or SIM, and smart card may comprise an EMV (Europay-Mastercard-Visa) card, para. 00149); determining if the personal identification number is correct (authentication device may deem the PIN or password verification successful if the PIN or password value provided by the user matches the stored reference value, para. 00136); and only computing the dynamic security code if the personal identification number is determined to be correct (user authentication device is adapted to abort the generation of the Response Message if the PIN or password verification fails, para. 00136).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 7, 10, and 13-15, are rejected under 35 U.S.C. 103 as being unpatentable over Coulier, in view of US 2016/0148194 to Guillaud et al. (hereinafter referred to as Guillaud).

In regards to claim 7, Coulier discloses a method of generating a dynamic security code (cryptographically generate a dynamic security value, para. 00139) for a card transaction (system authenticates users to authenticate transactions submitted by users to an application, para. 00106), the method comprising at an electronic device external to the card (user authentication device 240 may comprise a removable security device 395 which may comprise a smart card or SIM, and smart card may comprise an EMV (Europay-Mastercard-Visa) card, para. 00149): receiving a user request to generate a dynamic security code (The access device obtains the Authentication Initiating message and emits a signal encoding the messages which is captured by the user authentication device, para. 00169); sending a request to generate a dynamic security code to the card (the emitted signal is captured at the user authentication device and decoded to obtain the Authentication Initiation Message 435, para. 00170, paras. 00148-00149) via a device-to-card interface (communication interface 390 to exchange data, messages, commands and responses between the user authentication device 240 and the security device 395, para. 0148); receiving a message comprising a time (dynamic variable may comprise a time related value and may be a data element comprised in the Authentication Initiating Message received from the server-based application, para. 0054); sending the message comprising the time to the card via the device-to-card interface (dynamic variable may comprise a time related value and may be a data element comprised in the Authentication Initiating Message received from the server-based application, para. 0054); receiving the dynamic security code from the card via the device-to-card interface (The user authentication device processes the Authentication Initiating Message and generates a Response Message 440 comprising a dynamic security value, para. 00173), wherein a value of the dynamic security code is based on the time (the user authentication device uses a time-related value in the calculation of the dynamic security value, para. 00211); and causing the dynamic security code to be displayed on a display of the electronic device (the Response Message is presented to the user authentication device to the user by means of the user output interface which the user may copy to the access device to send to the authentication server, para. 00199).  Coulier fails to disclose sending a time request to a time source external to the electronic device; and receiving a message from the time source.
Guillaud, in the related field of enhanced security features for smart, debit, and credit cards, teaches sending a time request (time based methodology for generation of security codes requires the card to have wireless access to a time keeping system to synchronize the generation of the security codes, paras. 0064-0067) to a time source external to the electronic device (time based methodology for the generation of security codes requires the card to connect to the payment processor or 3rd party who maintains a clock for synchronization timing solutions, para. 0065); and receiving a message from the time source (the security code sent to a payment processor for authentication may be automatically generated by algorithms running on a microprocessor located in the card and generated for each of the time period windows Period 1, Period 2, and Period 3 with the payment processor’s computer system comparing the card’s security code 111 corresponding to Period 1 to the payment processor’s security authorization system 816 security code 111 for Period 1 to see if they match, paras. 0067-0068).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to provide the card of Coulier with the ability to send a request to a time source and receive a message from the time source as taught by Guillaud.  The motivation for doing so would have been to enable the use of a dynamically generated security code using a time based implementation methodology for added protection (Guillaud, paras. 0064-0068).

In regards to claim 10, Coulier discloses the method according to claim 7, and discloses a method further comprising: causing (83B) the display (14) of the electronic device (10) to display a request for a personal identification number, PIN (the user may be prompted by the user authentication device to provide a PIN or password and the user authentication device may capture the PIN or password that the user provides, para. 00183); receiving a PIN entered by a user on a user input device (13) of the electronic device (10); and sending the PIN to the card (35) via the device-to-card interface (the authentication device is adapted to receive a PIN provided by the user and pass the PI to a smart card for verification, para. 0020).

In regards to claim 13, Coulier discloses a card capable of generating a dynamic security code (cryptographically generate a dynamic security value, para. 00139) for a transaction (system authenticates users to authenticate transactions submitted by users to an application, para. 00106) comprising: a secure element with storage (user authentication device 240 may comprise a removable security device 395 which may comprise a smart card or SIM, and smart card may comprise an EMV (Europay-Mastercard-Visa) card, para. 00149); an external card interface (communication interface 390 to exchange data, messages, commands and responses between the user authentication device 240 and the security device 395, para. 0148); wherein the storage is configured to store a key (removable security device may securely store and handle secret keys and perform certain cryptographic calculations, para. 00148) and wherein the secure element is configured to: receive a request (The access device obtains the Authentication Initiating message and emits a signal encoding the messages which is captured by the user authentication device, para. 00169) to generate a dynamic security code (user authentication device delegates some of the cryptographic calculations for generating the dynamic security value to the removable security device, para. 00148) from an electronic device external to the card (The access device obtains the Authentication Initiating message and emits a signal encoding the messages which is captured by the user authentication device, para. 00169) via the external card interface (the emitted signal is captured at the user authentication device and decoded to obtain the Authentication Initiation Message 435, para. 00170, paras. 00148-00149); receive a message comprising a time (dynamic variable may comprise a time related value and may be a data element comprised in the Authentication Initiating Message received from the server-based application, para. 0054) via the external card interface (communication interface 390 to exchange data, messages, commands and responses between the user authentication device 240 and the security device 395, para. 0148); compute (user authentication device delegates some of the cryptographic calculations for generating the dynamic security value to the removable security device, para. 00148) the dynamic security code (The user authentication device processes the Authentication Initiating Message and generates a Response Message 440 comprising a dynamic security value, para. 00173) based on the time (the user authentication device uses a time-related value in the calculation of the dynamic security value, para. 00211) and the stored (removable security device may securely store and handle secret keys and perform certain cryptographic calculations, para. 00148) key (dynamic security value generated by the authentication device may be generated by cryptographically combining at least one secret value such as a cryptographic key with at least one dynamic variable such as a time value, para. 0017); send the dynamic security code to the electronic device via the external card interface (the Response Message is presented to the user authentication device to the user by means of the user output interface which the user may copy to the access device to send to the authentication server, para. 00199).  However, Coulier fails to disclose wherein the card comprises a processor.
Guillaud, in the related field of enhanced security features for smart, debit, and credit cards, teaches wherein the card comprises a processor (credit card 100 may contain a display 104, processor, receiver, and transmitter, paras. 0029).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to provide the card of Coulier with a processor as taught by Guillaud.  The motivation for doing so would have been to use the internal card processor for transferring card data such as the account number, expiration date and PIN security code to the wireless card reader terminal. (Guillaud, paras. 0029).

In regards to claim 14, Coulier discloses the card according to claim 13 and further discloses wherein the secure element (user authentication device may comprise a removable security device adapted to securely store and handle secret keys and perform certain cryptographic calculations, para. 0148) is configured to determine an authenticity of the message comprising the time (the authentication device generates the dynamic security value on condition that verification of the server credential was successful, para. 0054).

  regards to claim 15, Coulier discloses an electronic device capable of dynamically generating a security code for a card transaction (method to secure a remote server based application being accessed by a user through an access device, which comprises a computing device such as the user's PC or laptop, communicating with the application server over a computer network e.g. the internet, para. 0041), the electronic device being separate from the card (user authentication device 240 may comprise a removable security device 395 which may comprise a smart card or SIM, and smart card may comprise an EMV (Europay-Mastercard-Visa) card, para. 00149), the electronic device comprising: a processor; storage; a device-to-card interface; a user input device; a display (access device, which comprises a computing device such as the user's PC or laptop, communicating with the application server over a computer network e.g. the internet, para. 0041); wherein the electronic device is configured to: receive a user request to generate a dynamic security code from the user input device (The access device obtains the Authentication Initiating message and emits a signal encoding the messages which is captured by the user authentication device, para. 00169); send a request to generate a dynamic security code to the card (the emitted signal is captured at the user authentication device and decoded to obtain the Authentication Initiation Message 435, para. 00170, paras. 00148-00149) via the device-to-card interface (communication interface 390 to exchange data, messages, commands and responses between the user authentication device 240 and the security device 395, para. 0148); receive a message comprising a time (dynamic variable may comprise a time related value and may be a data element comprised in the Authentication Initiating Message received from the server-based application, para. 0054); send the message comprising the time to the card via the device-to-card interface (dynamic variable may comprise a time related value and may be a data element comprised in the Authentication Initiating Message received from the server-based application, para. 0054); receive the dynamic security code from the card via the device-to-card interface (The user authentication device processes the Authentication Initiating Message and generates a Response Message 440 comprising a dynamic security value, para. 00173); and cause the dynamic security code to be displayed on the display of the electronic device (the Response Message is presented to the user authentication device to the user by means of the user output interface which the user may copy to the access device to send to the authentication server, para. 00199).  Coulier fails to disclose sending a time request to a time source external to the electronic device; and receiving a message from the time source.
Guillaud, in the related field of enhanced security features for smart, debit, and credit cards, teaches sending a time request (time based methodology for generation of security codes requires the card to have wireless access to a time keeping system to synchronize the generation of the security codes, paras. 0064-0067) to a time source external to the electronic device (time based methodology for the generation of security codes requires the card to connect to the payment processor or 3rd party who maintains a clock for synchronization timing solutions, para. 0065); and receive a message from the time source (the security code sent to a payment processor for authentication may be automatically generated by algorithms running on a microprocessor located in the card and generated for each of the time period windows Period 1, Period 2, and Period 3 with the payment processor’s computer system comparing the card’s security code 111 corresponding to Period 1 to the payment processor’s security authorization system 816 security code 111 for Period 1 to see if they match, paras. 0067-0068).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to provide the card of Coulier with the ability to send a request to a time source and receive a message from the time source as taught by Guillaud.  The motivation for doing so would have been to enable the use of a dynamically generated security code using a time based implementation methodology for added protection (Guillaud, paras. 0064-0068). 

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Coulier, in view of US 8,577,803 to Chatterjee et al. (hereinafter Chatterjee).

In regards to claim 12, Coulier discloses the method according to claim 1, but fails to disclose wherein at least one of the external card interface (330) and the device-to-card interface (16) is a near field communication, NFC, interface.
Chatterjee, in the related field of virtual wallet card selection apparatus, teaches wherein at least one of the external card interface (330) and the device-to-card interface (16) is a near field communication, NFC, interface (user input may include activating an NFC equipped hardware device such as an electric card, col. 39, lines 19-39).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to provide the method of Coulier with NFC as provided by the method of Chatterjee.  The motivation for doing so would have been to enable communication via NFC (Chatterjee, col. 39, lines 19 – col. 40, line 14).

Allowable Subject Matter
Claims 5, 8, 9, 11, 17, and 18 are objected to as being dependent upon a rejected base claim, but would be allowable over the prior art if rewritten in independent form including all of the limitations of the base claim and any intervening claims; and would be allowable if rewritten to overcome the rejections under 35 U.S.C. 101 set forth in this Office Action.
  
The following is a statement of reasons for the indication of allowable subject matter of dependent claims 5, 8, 9, 11, 17, and 18 over prior art. 
The closest prior art of record is WO 2014022778 to Coulier, US 2016/0148194 to Guillaud et al. (hereinafter referred to as Guillaud), US 9,947,001 to Smith et al. (hereinafter Smith), US 8,577,803 to Chatterjee et al. (hereinafter Chatterjee), and US 2011/0225089 to Hammad (hereinafter referred to as Hammad).  Allowable subject matter is indicated because none of the prior art of record, alone or in combination, appears to teach or fairly suggest or render obvious the combination set forth in dependent claims 5, 8, 9, 11, 17, and 18.  For dependent claim 5, the prior art of Coulier, Guillaud, Smith, Chatterjee, and Hammad, specifically do not disclose: “wherein the card stores an identifier (ID) which identifies a time key (time-key lD) stored at the card used to authenticate the message; and the method comprises: receiving, via the external card interface (330) of the card, a request for the identifier (ID) from the electronic device; and sending the identifier (ID) to the electronic device via the external card interface (330)”.  Similar reasoning and rationale apply to dependent claims 8, 9, 11, 17, and 18. 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
 Tanner et al. (US 10,572,873) teaches verifying the source of an authorization request for payment card transactions.
Gordon et al. (US 10,116,447) teaches secure authentication of user and mobile device.
Makhotin et al. (US 10,223,694) teaches provisioning mobile payment applications on mobile communication devices.
Dubouis et al. (Dynamic Security Codes) teaches dynamic security code cards that utilize an internal clock.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Paul Schwarzenberg whose telephone number is (313) 446-6611.  The examiner can normally be reached on Monday-Thursday (7:30-6:30).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ryan Donlon, can be reached on (571) 270-3602.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/PAUL S SCHWARZENBERG/Examiner, Art Unit 3695                                                                                                                                                                                                        6/13/2022