DETAILED ACTION
Acknowledgements
This Office Action is in response to Applicant’s response filed on 6/7/22.
The Examiner notes that citations to United States Patent Application Publication paragraphs are formatted as [####], #### representing the paragraph number.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Status of Claims
Claims 10-11, 13-16, 18-20, 26-27, 30-34, 37-39 are currently pending.
Claims 10-11, 13-16, 18-20, 26-27, 30-34, 37-39 are rejected as set forth below.

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 6/7/22 has been entered.
 
	Response to Arguments	
Claim Rejections - 35 U.S.C. § 112(a)
Applicant’s arguments with respect to claim(s) 10, 15 have been fully considered and are persuasive. The rejection (and corresponding rejections to its dependent claims, if applicable) is withdrawn.

Claim Rejections - 35 U.S.C. § 112(b)
Applicant’s arguments with respect to claim(s) 10, 15 have been fully considered and are persuasive. The rejection (and corresponding rejections to its dependent claims, if applicable) is withdrawn.

Claim Rejections - 35 U.S.C. § 103
Applicant’s arguments with respect to claims 10-11, 13-16, 18-20, 26-27, 30-34, 37-39 have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection.
Applicant contends Muscato fails to teach or suggest the limitation “the dynamically-generated CVV is generated upon validation of the mobile device, the account, and the user by the server computer using one or more validation tests”. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Specifically, Royyuru is relied upon to teach generating a dynamic device verification value upon validation of the mobile device, the account, and the user by the server computer using one or more validation tests, and Muscato is relied upon to teach generating a dynamic card verification value.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 10, 13-15, 18-20, 26-27, 29, 32-34, 36, 39 are rejected under 35 U.S.C. 103(a) as being unpatentable over United States Patent Application Publication No. 2011/0153496 to Royyuru in view of United States Patent Application Publication No. 20090173782 to Muscato.
As per claims 10, 15, Royyuru teaches:
A mobile device comprising: a processor; and a computer readable medium coupled to the processor, wherein the computer readable medium comprises code that when executed by the processor, causes the processor to: ([0042], “The system 300 can also comprise a merchant system 340 providing an e-commerce website 330 and a client device 305 such as a desktop or laptop computer, Personal Digital Assistant, smartphone, or other computing device.”)
generate a first request for a first device verification value, the first request including account information identifying an account associated with a portable consumer device, information associated with the mobile device of a user, and information about the user; send the first request to a server computer; ([0043], “The payment processor system 350 can receive the request for the card-not-present transaction. The request for the card-not-present transaction can be received from either the client device 305 or the merchant system 340 as noted above. In either case, the request can include information identifying the user of the client device 305 but which is not sufficient for conducting a financial transaction. For example, the information identifying the user of the client device can comprise one or more of a phone number, an email address, a last four digits of the true PAN and/or other such identifying information.”)
receive the first device verification value from the server computer, wherein the first device verification value is a temporary first device verification value that is valid for a first predetermined number of transactions or for a first predetermined amount of time, wherein the temporary first device verification value is generated upon validation of the mobile device, the account, and the user by the server computer using one or more validation tests, wherein the first device verification value is separate and different from an identifier identifying the account; interact with an access device of a first merchant in connection with a first transaction; ([0044], “In response to authenticating the user of the client device 305, the payment processor system 350 can generate, e.g., via generation module 360, the set of single-use payment information. The set of single-use payment information can include at least a one-time password and a dynamic Primary Account Number (PAN). The dynamic PAN can be valid for a single transaction and does not reveal a true PAN of the user of the client device.”; [0046], “In another example, the system may further comprise a mobile phone 310 or other mobile device of the user/consumer. In such a case, a phone number in the enrolled information 355, i.e., registered by the user/consumer during enrollment, can comprise a phone number of the mobile phone 310 and providing the single-use payment information to the enrolled consumer/user can comprise sending an email message or a Short Message Service (SMS) message including the single-use payment information from the payment processor system 305 to the mobile phone 310.”)
transmit the first device verification value to the first merchant associated with the first transaction based on interaction between the mobile device and the access device of the first merchant, wherein the first device verification value is provided to the access device in connection with the first transaction; ([0047], “The consumer/user can then use the dynamic PAN and OTP in place of the true PAN to conduct the card-not-present transaction. For example, the consumer can enter the dynamic PAN in a "Card Number" field of the checkout page 335 or other page of the merchant's e-commerce website 330. Additional, the consumer may use the, OTP, either alone or in combination with a Personal Identification Number (PIN) in a "Cardholder Verification" (CV) or other appropriate field on the merchant's checkout page 335. In other words, the client device 305 can provide to the merchant system 340 the dynamic PAN 326 and cardholder verification information 327 to affect payment of the card-not-present transaction. The merchant system 340 can in turn receive the dynamic PAN 326 and cardholder verification information 327 and send a request to process payment of the card-not-present transaction to the payment processor system 305, for example via a payment network 345.”)
Royyuru does not explicitly teach, but Muscato teaches:
generating a dynamic card verification value; ([0034], “In response to receiving the request for a dynamically-generated CVV, card processing server 10 dynamically generates a CVV for the credit card. As discussed in detail below, card processing server 10 may dynamically generate the CVV for the credit card in a variety of ways. After card processing server 10 dynamically generates the CVV for the credit card, card processing server 10 stores the dynamically-generated CVV in a database.”)
interact with an access device of a first merchant in connection with a first transaction after the access device receives the identifier identifying the account from the user; ([0037], “User 8 may interact with cardholder device 4 to perform the economic transaction in a variety of ways. For example, cardholder device 4 may execute a web browser application. In this example, user 8 may use the web browser application to send, via network 6, a request for an e-commerce web page to a merchant server 12. Furthermore, in this example, the web browser application may receive the e-commerce web page from merchant server 12. The e-commerce web page may include features that allow user 8 to enter details of the credit card. For instance, the e-commerce web page may include a text box associated with a card number of the credit card, a text box associated with an expiry date of the credit card, and a text box associated with a CVV of the credit card.”; [0042], “When merchant server 12 receives a transaction acceptance message from card processing server 10, merchant server 12 sends to cardholder device 4 a message that notifies user 8 that the economic transaction was accepted.”)
One of ordinary skill in the art would have recognized that applying the known technique of Muscato to the known invention of Royyuru would have yielded predictable results and resulted in an improved invention. It would have been recognized that the application of the technique would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such dynamic card verification value features into a similar invention. Further, it would have been recognized by those of ordinary skill in the art that modifying the first device verification value to be a dynamic card verification value results in an improved invention because applying said technique adds another layer of increased security that makes it harder for a nefarious entity to use the credit card information in an unauthorized transaction.
As per claims 13, 18, Royyuru teaches:
wherein the first device verification value is received if the first request is validated based at least in part on the account information. ([0044], “The payment processor system 350 can read the enrollment information 355 for the user of the client device 305 and authenticate the user of the client device 305, e.g., via an authentication module 361, based at least in part on the information of the request identifying the user of the client device 305 and the enrollment information 355 for the user of the client device 305. In response to authenticating the user of the client device 305, the payment processor system 350 can generate, e.g., via generation module 360, the set of single-use payment information.”)
As per claim 14, Royyuru teaches:
wherein the first device verification value is transmitted to a payment processing network in an authorization request message associated with the first transaction. ([0047])
As per claim 19, Royyuru teaches:
prior to sending, by the mobile device, the first device verification value to the first merchant: initiating the first transaction with the first merchant; and interacting with the access device for the first merchant associated with the first transaction using the mobile device. ([0047])
As per claim 20, Royyuru teaches:
wherein the interaction between the mobile device and the access device comprises short-range wireless communication; and wherein the first device verification value is transmitted to a payment processing network in an authorization request message associated with the first transaction. ([0049], “It should be noted that while described herein with reference to an e-commerce transaction conducted through a merchant's e-commerce website, such an implementation is not required. Rather, embodiments of the present invention are thought to be equally useful with other implementations of a card-not-present transaction. That is, embodiments of the present invention may be implemented to process any transaction wherein presentation or use of a physical card or information therefrom is not possible, practical, or desirable. For example, embodiments of the present invention may be implemented to support transactions through a point-of-sale terminal of a merchant wherein the consumer can receive and supply, manually or through a mobile device, the dynamic PAN and OTP in place of a true PAN and CV information.”)
As per claims 26, 33, Royyuru teaches:
after the first device verification value becomes invalid: generate a second request for a second device verification value; send the second request to the server computer; and receive the second device verification value from the server computer, wherein the second device verification value is a temporary second device verification value that is valid for a second predetermined number of transactions or for a second predetermined amount of time, wherein the temporary second device verification value includes information related to validation of the mobile device by the server computer. ([0042] – [0047], The Examiner notes the dynamic PAN is single-use. Therefore, it will become invalid after a single transaction and another dynamic PAN will need to be requested.)
As per claims 27,34, Royyuru teaches:
interact with an access device of a second merchant in connection with a second transaction; and send the second device verification value to the second merchant associated with the second transaction based on interaction between the mobile device and an access device of the second merchant. ([0047], The Examiner notes a plurality of merchants exists in the system of Royyuru.)
As per claims 29, 36, Royyuru teaches:
wherein the first request for the first device verification value includes information associated with an accountholder. ([0043])
As per claims 32, 39, Royyuru teaches:
wherein the information associated with the mobile device includes a SIM card information, an application specific information, an IP address information, a hardware specific information, or a serial number. ([0043], The Examiner notes a phone number is a hardware specific information.”)


Claims 11, 16 are rejected under 35 U.S.C. 103(a) as being unpatentable over United States Patent Application Publication No. 2011/0153496 to Royyuru in view of United States Patent Application Publication No. 20090173782 to Muscato, and further in view of United States Patent Application Publication No. 2009/0143104 to Loh.
As per claims 11, 16, Royyuru as modified does not explicitly teach, but Loh teaches:
prior to generating the first request: receive identification information stored on the portable consumer device based on an interaction between the portable consumer device and the mobile device. ([0033], “Embodiments of the invention relate to a wireless smart card that can be used to conduct contactless transactions, etc., which also includes the ability to communicate with and be managed by a mobile communication device, such as a cellular phone via a conventional personal communication network (PCN) or personal area network (PAN). In one embodiment, the wireless smart card communicates with the mobile communication device through use of the well known Bluetooth wireless protocol. Contactless transactions that can be performed with the wireless smart card include contactless payment, near field communication (NFC) with other NFC devices (i.e. peer-to-peer communication), and Radio Identification (RFID) reading/writing, which can be made in a secure and efficient manner. The wireless smart card can be used to provision or modify secure personal credentials, store and modify monetary values, upload or review transactions, and read and download information from external transaction devices, such as smart posters and other NFC or RFID devices. Because the wireless smart card can communicate with both the mobile communication device and the external transaction devices, users are not required to change their mobile communication devices. In addition, users who have multiple mobile communication devices can use the wireless smart card for contactless payment, near field communication or other transaction functions using any of their mobile communication devices that support PCN's.”)
One of ordinary skill in the art would have recognized that applying the known technique of Ginter to the known invention of Royyuru as modified would have yielded predictable results and resulted in an improved invention. It would have been recognized that the application of the technique would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such portable consumer device features into a similar invention. Further, it would have been recognized by those of ordinary skill in the art that modifying the invention to receive identification information stored on the portable consumer device based on an interaction between the portable consumer device and the mobile device results in an improved invention because it allows for identification information stored on the portable consumer device to be easily shared with the mobile device via wireless communication without requiring user input, thus improving the overall efficiency of the invention.

Claims 30-31, 37-38 are rejected under 35 U.S.C. 103(a) as being unpatentable over United States Patent Application Publication No. 2011/0153496 to Royyuru in view of United States Patent Application Publication No. 20090173782 to Muscato, and further in view of United States Patent Application Publication No. 2002/0112171 to Ginter.
As per claims 30, 37, Royyuru as modified does not explicitly teach, but Ginter teaches:
receive data from the server computer via a secure communications session. ([1680] – [1681], “Two parties (e.g., PPEs A and B), will need to establish a communication channel that is known by both parties to be secure from eavesdropping, secure from tampering, and to be in use solely by the two parties whose identifies are correctly known to each other.”)
One of ordinary skill in the art would have recognized that applying the known technique of Ginter to the known invention of Royyuru as modified would have yielded predictable results and resulted in an improved invention. It would have been recognized that the application of the technique would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such cryptography features into a similar invention. Further, it would have been recognized by those of ordinary skill in the art that modifying the mobile device to receive data, i.e. the first device verification value, from the server computer via a secure communications session results in an improved invention because applying said technique secures the communication channel from eavesdropping and tampering, thus improving the overall security of the invention (Ginter, [1681]).
As per claims 31, 38, Royyuru as modified does not explicitly teach, but Ginter teaches:
register for a secure communications session with the server computer, wherein registering establishes a session key, wherein data is encrypted with the session key. ([1697], “These steps establish the identity of the correspondent party B and proposes a communication. Because establishment of the communication will require validation of claims made by B, a means must be provided for A to validate such claims.”; [1714], “Create unique session key to be used for the proposed communication.”)
One of ordinary skill in the art would have recognized that applying the known technique of Ginter to the known invention of Royyuru as modified would have yielded predictable results and resulted in an improved invention. It would have been recognized that the application of the technique would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such cryptography features into a similar invention. Further, it would have been recognized by those of ordinary skill in the art that modifying the mobile device to register for a secure communications session with the server computer, wherein registering establishes a session key, wherein data is encrypted with the session key, results in an improved invention because applying said technique secures the communication channel from eavesdropping and tampering, thus improving the overall security of the invention (Ginter, [1681]).
	
	
	
	
	



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
United States Patent Application Publication No. 2012/0116902 to Cardina discloses systems and methods for improving security in mobile payment systems are described. A user device may be operated to request temporary account data for an account. No actual account number may be stored on the device. A remote system may correlate temporary account data to actual account data and transmit temporary account data to the user device, which use the data to make a purchase or generate a temporary account number than may be used to make a purchase. Temporary account data may be automatically erased or expire. A purchase authorization request may be sent by a merchant with temporary account data to a provider of temporary account data. The provider may transmit a request for purchase authorization using actual account data to a payment processor, sending a response to the merchant that does not include actual account data based on a response from the payment processor.
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAY HUANG whose telephone number is (408)918-9799.  The examiner can normally be reached on 9:00a - 5:30p PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Anita Coupe can be reached on (571) 270-3614.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JAY HUANG/Primary Examiner, Art Unit 3685