DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on November 19, 2021 has been entered.
 
Response to Amendment
The amendment filed November 19, 2021 has been entered. Claims 1-2 and 5-7 remain pending in the application. Applicant’s amendments to the Claims have overcome each and every 101 rejections previously set forth in the Final Office Action mailed August 19, 2021.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-2 and 5-7 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. The limitation “injecting, by the merchant point of sale device, the cryptogram and the account identifier into a transaction request” in claim 1, lines 31-32 is not disclosed in the original disclosure. Claims 2 and 5-7 are rejected due to their dependencies.
Appropriate correction/clarification is required. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 5-7 are rejected under 35 U.S.C. 103 as being unpatentable over Ghosh et al. (US 7357309 B2; already of record in IDS; hereinafter Ghosh) in view of Choyi et al. (WO 2015031184 A2; hereinafter Choyi), and in further view of Peart et al. (US 20050033688 A1; hereinafter Peart). 
With respect to claim 1:
	Ghosh teaches A method for activating a merchant-specific cryptogram lockbox, comprising: (See at least Ghosh: 12/1-11)
calling, by a merchant-specific cryptogram lockbox in a merchant datacenter or a merchant cloud, a financial institution backend with a startup code comprising a unique value that authorizes use of the merchant-specific cryptogram lockbox by a merchant and cryptogram lockbox metadata for the merchant-specific cryptogram lockbox, wherein the startup code was provided to a backend for the merchant by the financial institution backend; (By disclosing, a security lock-box (cryptogram lockbox) can be used for storage of EMV symmetric key and generation of EMV application cryptograms, and the Sym-Locker may be implemented in the card-reader terminal hardware (merchant-specific). In addition, the Sym-Locker should provide APIs (startup code) for secure provisioning of the EMV symmetric key into the locker, depending on where the Sym-Locker is implemented (unique value and lockbox metadata). Furthermore, the EMV symmetric key may be generated by the EMV issuer and delivered to the personal trusted device 118 for storage and subsequent generation of the EMV application cryptograms. Therefore, the APIs or startup code was provided by the financial institution. See at least Ghosh: 12/22 & 8/40-55)
establishing, by the merchant-specific cryptogram lockbox, a secure communication channel with the financial institution backend, wherein the secure communication channel uses [IP whitelisting] and/or two-way SSL; (By disclosing, the EMV-proxy module and the personal trusted device establish a secure wireless connection (e.g., a TLS/SSL connection) therebetween (two-way SSL). In addition, Sym-Locker should provide APIs for secure provisioning of the EMV symmetric key into the locker, which may also be interpreted as secure communication channel. See at least Ghosh: 9/54-60 & 12/12-22)
receiving, by the merchant-specific cryptogram lockbox, limited use keys from the financial institution backend over the secure communication channel; (By disclosing, the EMV symmetric key may be generated by the EMV issuer and delivered to the personal trusted device 118 for storage and subsequent generation of the EMV application cryptograms. As stated above, the Sym-Locker may be implemented in the card-reader terminal hardware. See at least Ghosh: 8/40-55 & 12/1-11)
receiving, by the merchant-specific cryptogram lockbox and from a merchant point of sale device, a call requesting a cryptogram [comprising an account identifier for an account in a transaction]; (By disclosing, the EMV-proxy module presents the cardholder verification results (a call requesting a cryptogram) to the EMV card-reader terminal module. In addition, the Sym-Locker should be able to use the result of the user's authentication to the EMV-proxy module in order to generate and release the cryptogram for the mobile-EMV transaction. Furthermore, in order for the EMV issuer back office 104 to process any EMV transaction, a cardholder account must first be created. Therefore, the cryptogram needs to be related to the account or account identifier. See at least Ghosh: 10/41-43; 12/26-32 & 5/25-30)
generating, by the merchant-specific cryptogram lockbox, the cryptogram [for the account identifier] using the limited use keys; and (As stated above, and by further disclosing, a new Application Cryptogram (AC) is generated by the EMV card-reader terminal module at step 464 and sent to the EMV-proxy module. See at least Ghosh: 10/46-49 & 12/26-32)
injecting, by the merchant point of sale device, the cryptogram and the account identifier into a transaction request. (By disclosing, the EMV-proxy module forwards the AC to the EMV card-reader terminal module, which in turn may forward the AC to the EMV issuer back office, depending on whether the transaction is an online transaction or an offline transaction (transaction request). See at least Ghosh: 10/54-60)
	However, Ghosh does not teach ...IP whitelisting, and ...[cryptogram] comprising an account identifier for an account in a transaction or ...[cryptogram] for the account identifier.
	Choyi, directed to methods, apparatus and systems for wireless network selection and thus in the same field of endeavor, teaches
...establishing, by the merchant-specific cryptogram lockbox, a secure communication channel with the financial institution backend, wherein the secure communication channel uses IP whitelisting and/or two-way SSL;. (By disclosing, the network stack 2230 may be configured with the rules, including some or all traffic from whitelisted MAC addresses and/or to whitelisted IP addresses to pass. In addition, other security measures may be used (e.g., using end-to-end secure socket layer (SSL)). See at least Choyi: [0193] & [0184])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the EMV transactions in mobile terminals teachings of Ghosh to incorporate the methods, apparatus and systems for wireless network selection teachings of Choyi for the benefit of security over the Internet. (See at least Choyi: [0184])
However, Ghosh and Choyi do not teach explicitly ...[cryptogram] comprising an account identifier for an account in a transaction or ...[cryptogram] for the account identifier.
	Peart, directed to methods and apparatus for a secure proximity integrated circuit card transactions and thus in the same field of endeavor, teaches
...[cryptogram] comprising an account identifier for an account in a transaction, or ...[cryptogram] for the account identifier (By disclosing, the merchant system 704 determines that the transaction should proceed online for approval, then the merchant system 704 may request an Authorization Request Cryptogram (ARQC) for a request for approval online. See at least Peart: [0117] & [0124]-[0125])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Ghosh and Choyi to incorporate the methods and apparatus for a secure proximity integrated circuit card transactions teachings of Peart for the benefit of cryptogram for a request for approval online. (See at least Peart: [0117])
With respect to claim 5:
	Ghosh, Choyi, and Peart teach the method of claim 1, as stated above.
Ghosh further teaches wherein the merchant-specific cryptogram lockbox is implemented in hardware. (By disclosing, a Sym-Locker may either be implemented in a smart-card based security element (i.e., the SWIM card), a smart-card without a security element, such as a standard SIM card (the SIM card provides symmetric key functionality), or in the card-reader terminal hardware. See at least Ghosh: 12/1-9)
With respect to claim 6:
	Ghosh, Choyi, and Peart teach the method of claim 1, as stated above.
Ghosh further teaches wherein the merchant-specific cryptogram lockbox is implemented in software. (By disclosing, Sym-Locker should provide APIs for secure provisioning of the EMV symmetric key into the locker. The API needs to allow provisioning of the symmetric key post issuance of the smart-card or the personal trusted device, depending on where the Sym-Locker is implemented. See at least Ghosh: 12/12-23)
With respect to claim 7:
	Ghosh, Choyi, and Peart teach the method of claim 1, as stated above.
Ghosh further teaches wherein the cryptogram lockbox metadata comprises at least one of a merchant-specific cryptogram lockbox identifier, a merchant-specific cryptogram lockbox location, and a merchant identifier. (By disclosing, the identity of the EMV-proxy module 114 (merchant-specific) may be verified by setting up a WTLS/TLS Class 2 connection. In addition, the API needs to allow provisioning of the symmetric key post issuance of the smart-card or the personal trusted device, depending on where the Sym-Locker is implemented (lockbox location). See at least Ghosh:  5/11-24 & 12/12-22)
Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Ghosh in view of Choyi and in further view of Peart, and in further view of Lin (US 20120124646 A1; already of record in IDS; hereinafter Lin).
With respect to claim 2:
	Ghosh, Choyi, and Peart teach the method of claim 1, as stated above.
	However, Ghosh, Choyi, and Peart do not teach wherein the startup code is provided out- of-band.
Lin, directed to method and apparatus for authenticating online transactions using a browser, teaches wherein the startup code is provided out- of-band. (By disclosing, authentication server 110 generates an activation code, which is transmitted (320) to the service consumer himself using an out-of-band communication channel. Out-of-band activation code transmission substantially reduces the risk of fraud. See at least Lin:  [0036])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Ghosh, Choyi, and Peart to incorporate the method and apparatus for authenticating online transactions using a browser teachings of Lin for the benefit of out-of-band activation code transmission reducing the risk of fraud substantially. (See at least Lin:  [0009] & [0036])

Response to Arguments
Applicant's arguments with respect to the 103 rejections filed 11/19/2021 have been fully considered but they are not persuasive.
In response to applicant's argument that Ghosh… specifically discloses the generation of an application cryptogram, which appears to be related to the risk associated with the terminal, it is noted that Ghosh teaches that the EMV-proxy module forwards the AC to the EMV card-reader terminal module, which in turn may forward the AC to the EMV issuer back office, depending on whether the transaction is an online transaction or an offline transaction. In the example, the transaction is an online transaction based on the type of cryptograms generated. Also, Ghosh’s Sym-Locker should be able to use the result of the user's authentication to the EMV-proxy module in order to generate and release the cryptogram for the mobile-EMV transaction. That is, Ghosh’s cryptogram is not just for terminal risk management, but may be interpreted to teach cryptogram at least for “transaction request”, or even for “transaction authentication request” (See at least Ghosh: 10/41-62 & 12/26-29). Furthermore, Peart, in the same field of endeavor, teaches Authorization Request Cryptogram (ARQC) for a request for approval online (See at least Peart: [0117]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Ngo et al. (US 20220019995 A1) teaches limited-use keys and cryptograms, including transaction cryptogram and merchant-specific cryptogram.
Bhandari et al. (US 20160381010 A1) teaches host card emulation systems and methods, including cryptogram, one-time key, and POS.
Le Saint et al. (US 20160218875 A1) teaches methods for secure credential provisioning, including cryptogram, LUK, and POS. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CLAY LEE whose telephone number is (571)272-3309.  The examiner can normally be reached on Monday-Friday 8-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on (571)270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





                                                                                                                                                                                           /CLAY C LEE/Examiner, Art Unit 3685