DETAILED ACTION
This office action is in response to applicant’s communication dated 3/15/2022.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims Status
Claims 1, 4, 5, 10, 13, and 19 are amended.
Claim 3 and 6 is canceled.
Claims 1, 2, 4, 5 and 7-20 are pending and are currently being examined.

Response to Amendment
103 Rejection
Applicant’s argument is moot in light of a new art and new grounds of rejection due to amended claims.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-4, 7-8, 11-14, 16 and 18-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tomasofsky et al. (US20160078444; hereinafter: “Tomasofsky”) in view of Strayer et al. (US20040054622A1; hereinafter: ” Strayer”).

	As per claims 1, 13 and 19, Tomasofsky teaches an authentication platform (and respective method and storage media) for authenticating an online user, the authentication platform comprising:
a memory device; and at least one processor coupled to the memory device, the at least one processor programmed to: (see [0150]);
receiving, from an issuer computing device, and store in the memory device an authentication profile including routing rules (¶ 107 – “each particular issuing bank may provide its own custom set of rules to be applied by RBD module 750 to generate risk result 752.”, and ¶ 122- “RBD 920 may provide scoring with default scoring rules (e.g., one or more default scoring rules stored in a memory RBD 920)”);
receive an authentication request message (FIG. 9:910 and “[0116] …TPS 910 transmits a scoring request to a risk-based decisioning (RBD) system 920 for fraud analysis and scoring”); the authentication request message including authentication data (“[0116] …the scoring request to RBD system 920 includes infrastructure data such as one or more of transaction data, information about a computing device used to conduct the subject transaction (“device information”, e.g., geo-location data of the device Internet protocol (IP) address), additional payment card information not included in the transaction data (“payment card information”), information about a digital wallet used to conduct the subject transaction (“digital wallet information”, e.g., whether and/or how often this particular device has been used in conjunction with this digital wallet), and cart data associated with the subject transaction (“cart data”).”);
extract the authentication data from the authentication request message (“[0117] RBD system 920, in the example embodiment, scores the subject transaction for fraud using at least some of the provided data.”, extracting, from the request, of the provided data necessarily occurs before being able to “use” the provided data for the scoring);
generate, based at least in part on the extracted authentication data, RBA result data including a risk score (“[0117]…RBD system 920 generates a risk result 922 (e.g., a risk score) for the transaction”, RBA (risk-based authentication) synonymous to RBD (risk-based decisioning); see also [0090], risk result 752 includes one or more of (1) a numerical risk value computed for transaction 710 as a whole, and (2) a risk level indicator for transaction 710 as a whole, (3) one or more risk level indicators and/or numerical risk values for one or more of (a) a device score (e.g., for device 704), (b) a digital wallet score (e.g., for digital wallet 600), and (c) a payment card score (e.g., for payment card 712).);
generate an authentication decision based on the RBA result data and the authentication profile ([0122], In some embodiments, under Verify Checkout, TPS 910 invokes RBD 920 to calculate risk result 922. RBD 920 may provide risk scoring as described above similar to RBD 750 (shown in FIGS. 7 and 8). In some embodiments, RBD 920 may provide scoring with default scoring rules (e.g., one or more default scoring rules stored in a memory of RBD 920), or may apply issuer- or merchant-specific settings (e.g., one or more fraud scoring configuration parameters received from a merchant or an issuer). If, at 924, risk result 922 exceeds a pre-determined threshold, then a step-up challenge 932 may be presented to suspect consumer 902.)

Tomasofsky doesn’t teach/suggest, however, Strayer, in an analogous art of identifying potentially risky transactions (¶ 2), teaches/suggests the concept(s) of:
…. routing rules indicating where  (see claim 2, the method of claim 1, wherein processing the purchase card transaction according to merchant-specific rules includes: routing the transaction data to a routing destination determined from a first merchant-specific processing parameter associated with the identified card type.)
route the RBA result data based on the routing rules included in the authentication profile and the RBA result data by: 
determining, from the routing rules, whether the RBA result data should be routed to a source of the authentication request message, the issuer computing device, or an access control server (ACS) (see claim 2, The method of claim 1, wherein processing the purchase card transaction according to merchant-specific rules includes: routing the transaction data to a routing destination determined from a first merchant-specific processing parameter associated with the identified card type; see also [0016], A first one of the plurality of merchant-specific sets of transaction processing parameters may include a first routing destination parameter, and a second one of the merchant-specific sets of transaction processing parameters may include a second routing destination parameter different from the first routing destination parameter. The purchase card may bear a first badge identifying a first card issuing entity and a second badge identifying a second card issuing entity. In this case, the first routing destination parameter can correspond to a routing destination for a card product of the first card issuing entity while the second routing destination parameter corresponds to a routing destination for a card product of the second card issuing entity; and 

routing the RBA result data to the source of the authentication request message, the issuer computing device, or the ACS (see claim 3, the method of claim 2, wherein routing the transaction data includes:
adding the transaction data to a batch of transaction data to be transmitted to the routing destination.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Tomasofsky with the teaching of Strayer as they relate to a system/method of processing payment transactions.  The claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Tomasofsky offers the embodiment of managing risk and fraud associated with payment card transactions.  One of ordinary skill in the art at the time the invention was made would have recognized managing risk and fraud associated with payment card transactions as disclosed by Tomasofsky to the method of determining, from the routing rules, where would the RBA result data be routed to as taught by Strayer for the predicated result of improved systems and methods of a more efficient platform/method/media, e.g., which is capable of routing to authentication entities that are more appropriate capabilities for the transaction’s risk level, e.g., less/more experienced.


	As per claims 2 and 14, the combination of Tomasofsky and Strayer teaches the authentication platform of Claim 1 and the method of Claim 13 respectively.  Tomasofsky further teaches:  wherein the RBA result data further include at least one reason code (e.g., sub-scores or individual risk-based data elements) that indicates at least one factor that influenced the generated risk score (¶ 31 – “the RBD system may score the payment card transaction and provide an overall score and/or an overall recommendation to the issuer's ACS…The RBD system may send other “sub-scores” within the 3DS extension message, such as the device score, the digital wallet score, or the payment card score. In some embodiments, the RBD system may share individual risk-based data elements such as the method the suspect consumer authenticated into the digital wallet, or how long the digital wallet has been in service.”). 	

	As per claim 3, the combination of Tomasofsky and Strayer teaches the authentication platform of Claim 1.  Tomasofsky further teaches: wherein the routing rule cause the at least one processor is programmed to transmit the RBA result data to a source of the authentication request message (Tomasofsky FIG. 12:1206 and ¶ 144 – “transmitting 1206 an indication of acceptable risk to the merchant if the risk score satisfies a first pre-defined threshold.”). 

	As per claim 4, the combination of Tomasofsky and Strayer teaches the authentication platform of Claim 1.  Tomasofsky further teaches:
wherein the authentication request message is associated with an online payment card transaction (“[0026] One risk-based decisioning (RBD) system described herein evaluates payment card transactions involving digital wallets. During a payment card transaction, such as an online transaction on a merchant web site”), 
wherein the source of the authentication request message is one of the issuer computing device and a merchant (FIG. 12:1202 and ¶ 144 – “receiving 1202, from the merchant, transaction data associated with a payment card transaction.”). 

	As per claim 7, the combination of Tomasofsky and Strayer teaches the authentication platform of Claim 1, Tomasofsky further teaches: wherein the routing rule cause the at least one processor to determine a risk level based on the RBA result data and the authentication profile (Tomasofsky ¶ 28 – “The RBD system also generates a payment card score from the payment card information and combines the payment card score with the session trust level to generate an overall transaction risk level for the payment card transaction.”).
 
As per claim 8, the combination of Tomasofsky and Strayer teaches the authentication platform of Claim 7, Tomasofsky further teaches: wherein the at least one processor is programmed to transmit an authentication approval if the risk level is low (Tomasofsky ¶ 35 – “the RBD system scores the subject transaction based at least in part on the transaction data and the infrastructure data. If the score is below the pre-defined threshold (i.e., “less risky”), then the transaction will be approved at this stage and subsequently will continue through to authorization without additional authentication of the suspect consumer”). 
	
	As per claim 11, the combination of Tomasofsky and Strayer teaches the authentication platform of Claim 7. 
Tomasofsky, as modified, doesn’t directly teach, but 
However, Tomasofsky, suggests the concept(s) of:
wherein the at least one processor is programmed to transmit an authentication denied message if the risk level is high (¶ 81 – payment cards data 620 may indicate blacklisted cards, ¶ 52 – “the RBD module generates a risk score for the payment card transaction using payment card data” and “[0145]…method 1300 is performed by a computing system such as…RBD system 920 (shown in FIG. 9)…Method 1300 also includes transmitting 1308 the message with the first risk score included within the at least one extension field to a party associated with the payment card transaction for use during authentication of the payment card transaction.” And Table 3 in Page 12. Table 3 shows that a risk level may be “Negative”. And given that cards data 620 might indicate that a card is blacklisted, it would be understood by a person having ordinary skill in the art that the risk level that would be calculated and communicated by the RBD system, in the cases of blacklisted cards would be “Negative”, reflective of a “denied” authentication)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of wherein the at least one processor is programmed to transmit an authentication denied message if the risk level is high, as suggested by Tomasofsky, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of a more secure and efficient platform that may take into consideration of cards on a blacklist (too risky) to reject transactions involving these cards, without the need for further considerations/authentication steps.

	As per claim 12, Tomasofsky, as modified, teaches the authentication platform of Claim 1, 
wherein to generate RBA result data, the at least one processor is programmed to compare the authentication data to at least one of one or more long term variables and one or more short term variables (Tomasofsky ¶ 27 – “Digital wallet information may include information about the digital wallet used during the transaction, such as how the suspect consumer was authenticated into the digital wallet, whether the digital wallet has historically been used with the current computing device, or whether the shipping address of the current transaction is a shipping address previously used with the digital wallet”, where current [short –term] variables, like current computing device and current shipping address, has been used in the past [long-term variable] comparison), 
wherein the one or more long term variables include historical authentication data and historical authorization data (Tomasofsky ¶ 96 – “RBD module 750 examines historical data 760 involving past authentication results…RBD module 750 may raise or lower the access method score based on such historical verification data.” For historical authorization data see: Tomasofsky ¶ 78 – “device data 610 may include a fraudulent device status (e.g., whether the device has been involved in past fraudulent transactions)” and Tomasofsky ¶ 80 - “Similarly, if there are fraudulent transactions and/or transactions that result in a chargeback, then the subsequent transaction with that payment card/digital wallet may be scored in such a way indicating that the subsequent transaction is risker from a fraud perspective. Such data may be tied to a particular payment card, a particular digital wallet, and/or a particular device.” Also see Tomasofsky ¶ 27). 

As per claim 16, Tomasofsky, as modified, teaches the method of Claim 13, wherein routing the RBA result data further comprises:
	determining a risk level based on the RBA result data and the authentication profile (Tomasofsky ¶ 28 – “The RBD system also generates a payment card score from the payment card information and combines the payment card score with the session trust level to generate an overall transaction risk level for the payment card transaction.”); and 
transmitting an authentication approval if the risk level is low (Tomasofsky ¶ 35 – “the RBD system scores the subject transaction based at least in part on the transaction data and the infrastructure data. If the score is below the pre-defined threshold (i.e., “less risky”), then the transaction will be approved at this stage and subsequently will continue through to authorization without additional authentication of the suspect consumer” and ¶ 31 – “the RBD system sends risk-based decisioning data to the issuer's ACS via an extension message to the 3DS protocol”). 

	As per claim 18, Tomasofsky, as modified, teaches the method of Claim 13, wherein routing the RBA result data further comprises:
	determining a risk level based on the RBA result data and the authentication profile (Tomasofsky ¶ 28 – “The RBD system also generates a payment card score from the payment card information and combines the payment card score with the session trust level to generate an overall transaction risk level for the payment card transaction.”);
Tomasofsky, as modified, doesn’t directly teach: 
However, Tomasofsky, suggests the concept(s) of:
transmitting an authentication denied message if the risk level is high (¶ 81 – payment cards data 620 may indicate blacklisted cards, ¶ 52 – “the RBD module generates a risk score for the payment card transaction using payment card data” and “[0145]…method 1300 is performed by a computing system such as…RBD system 920 (shown in FIG. 9)…Method 1300 also includes transmitting 1308 the message with the first risk score included within the at least one extension field to a party associated with the payment card transaction for use during authentication of the payment card transaction.” And Table 3 in Page 12. Table 3 shows that a risk level may be “Negative”. And given that cards data 620 might indicate that a card is blacklisted, it would be understood by a person having ordinary skill in the art that the risk level that would be calculated and communicated by the RBD system, in the cases of blacklisted cards would be “Negative”, reflective of a “denied” authentication)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of wherein the at least one processor is programmed to transmit an authentication denied message if the risk level is high, as suggested by Tomasofsky, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of a more secure and efficient platform that may take into consideration of cards on a blacklist (too risky) to reject transactions involving these cards, without the need for further considerations/authentication steps.

Claim(s) 5 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tomasofsky et al. (US20160078444) in view of Strayer et al. (US20040054622A1; hereinafter: ” Strayer”), and further in view Epelman et al. (US20160210633; hereinafter: “Epelman”).

	As per claim 5, the combination of Tomasofsky and Strayer teaches the authentication platform of Claim 1.  Strayer further teaches:  wherein the routing rules cause the at least one processor (see [0019])

The combination does not explicitly disclose, Epelman teaches: embed the RBA result data into the authentication request message to generate an enhanced authentication request message (FIG. 7:750 and ¶ 98 – “at block 750, the risk score may be sent/transmitted within a second transaction data (e.g., by modifying and forwarding the authorization request message) to an issuer of the user account, to provide the issuer with the detailed analysis of the risk of the transaction”) and 
transmit the enhanced authentication request message to the ACS  (FIG. 7:750 and ¶ 98 – “at block 750, the risk score may be sent/transmitted within a second transaction data (e.g., by modifying and forwarding the authorization request message) to an issuer of the user account, to provide the issuer with the detailed analysis of the risk of the transaction”, it is understood by a person having ordinary skill in the art that the ACS is of or operates on behalf of the issuer)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of “embed the RBA result data into the authentication request message to generate an enhanced authentication request message” and “transmit the enhanced authentication request message to the ACS”, as taught/suggested by Epelman, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of a more practical platform, providing a feasible way to forward risk data to the issuer known transactions data field formats.

Tomasofsky further teaches: ….. to enable the ACS to make an authentication decision based on the RBS result data ([0030] In some embodiments, the RBD system may be provided as a service to issuing banks. In other words, the RBD system may provide scores to an issuer's access control system (ACS), and the ACS may make decisions based at least in part on the risk scores or risk data available from the RBD system.)

As per claim 15, the combination of Tomasofsky and Strayer teaches the authentication platform of Claim 13. 

“Receiving a second authentication request message, the second authentication request message including second authentication data; Generating, based on at least in part on the second authentication data, second RBA result data including a second risk score; and routing the second RBA result data including in response to the status indicating that the ACS is available; The entire particular limitation (steps) is not germane to patentability because it is not required to be performed under the broadest reasonable interpretation.   See Schulhauser (MPEP 2111.04 (II)).   By performing “…. in response to the status indicating that the ACS is unavailable…..routing the RBA result data based on the routing rules……“ as in claim 13, it is implicitly known that the contrary limitation ““……………routing the second RBA result data including in response to the status indicating that the ACS is available….”” will also be met.  In other words, claim 15 is an extension of claim 13, in which claim 15 covers the case where the ACS has been determined to be available when claim 13 has already covered the case when ACS has been determined to be unavailable.



The combination does not explicitly disclosed, but Epelman teaches: embed the second RBA result data into the second authentication request message to generate an enhanced second authentication request message (FIG. 7:750 and ¶ 98 – “at block 750, the risk score may be sent/transmitted within a second transaction data (e.g., by modifying and forwarding the authorization request message) to an issuer of the user account, to provide the issuer with the detailed analysis of the risk of the transaction”) and 
transmit the second enhanced authentication request message to the ACS  (FIG. 7:750 and ¶ 98 – “at block 750, the risk score may be sent/transmitted within a second transaction data (e.g., by modifying and forwarding the authorization request message) to an issuer of the user account, to provide the issuer with the detailed analysis of the risk of the transaction”, it is understood by a person having ordinary skill in the art that the ACS is of or operates on behalf of the issuer)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of “embed the RBA result data into the authentication request message to generate an enhanced authentication request message” and “transmit the enhanced authentication request message to the ACS”, as taught/suggested by Epelman, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of a more practical platform, providing a feasible way to forward risk data to the issuer known transactions data field formats.

Tomasofsky further teaches: ….. to enable the ACS to make an authentication decision based on the RBS result data ([0030] In some embodiments, the RBD system may be provided as a service to issuing banks. In other words, the RBD system may provide scores to an issuer's access control system (ACS), and the ACS may make decisions based at least in part on the risk scores or risk data available from the RBD system.)

Claim(s) 9-10, 17 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tomasofsky et al. (US20160078444; hereinafter: “Tomasofsky”) in view of Strayer et al. (US20040054622A1; hereinafter: ” Strayer”), and further in view of Powell (US20210090074; hereinafter “Powell”).

	As per claim 9, the combination of Tomasofsky and Strayer teaches the authentication platform of Claim 7.   Tomasofsky further teaches: wherein the at least one processor is programmed to:
	transmit a step-up challenge to the online user if the risk level is medium (Tomasofsky ¶ 35 – “If the score is above a pre-defined threshold (i.e., “more risky”) [“medium”], then the transaction will undergo additional, direct authentication of the suspect consumer (e.g., a 3DS “step-up” challenge).” And Tomasofsky ¶ 25 – “During some known 3-D Secure transactions, the suspect consumer (i.e., the consumer attempting to perform the payment card transaction with the merchant) is presented with an authentication challenge, sometimes called a “step-up challenge.” This step-up challenge generally requires the suspect consumer to provide a password, or a passcode from a second factor user device, before the transaction will be processed” and Tomasofsky ¶ 119 – “may also prompt additional authentication challenge of suspect consumer 902.”);
	receive a response to the step-up challenge from the online user (Tomasofsky ¶ 25 – “This step-up challenge generally requires the suspect consumer to provide a password, or a passcode from a second factor user device, before the transaction will be processed”);
	and determine an authentication decision based on the response to the step-up challenge and the RBA result data (Tomasofsky ¶ 36 – “having to answer an additional authentication challenge during a transaction” and Tomasofsky “[0030] In some embodiments, the RBD system may be provided as a service to issuing banks. In other words, the RBD system may provide scores to an issuer's access control system (ACS), and the ACS may make decisions based at least in part on the risk scores or risk data available from the RBD system.”, the authentication decision is based on information provided by the RBD and additional authentication challenge, when required).
	The combination does not teaches, but Powell, in an analogous art of tokenization concepts used in payment transactions (¶¶ 25-26), teaches/suggests the concept(s) of:
that the “step-up” challenge steps are performed by the ACS (“[0064] An “agent” may be an entity appointed by the issuer to perform specific functions on behalf of the issuer. Exemplary functions may include card processing, cardholder verification using the 3-D Secure protocol, and token service. For example, an Access Control Server (ACS) may be an agent of the issuer that provides a 3D-Secure service for identification and verification (ID&V).”)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of that the “step-up” challenge steps are performed by the ACS, as taught/suggested by Powell, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of more versatile system capable of fulfilling various system configurations. Furthermore, it was well within the capabilities of a person having ordinary skill in the art to have realized that the expected results of a step-up authentication (such as offered through SD Secure protocol) would be the same regardless of whether the ACS or other entity performs step-up challenge. Namely, further security would be achieved either way by requiring further authentication from the user. 

	As per claim 10, the combination of Tomasofsky and Strayer teaches the authentication platform of Claim 7.  Tomasofsky further teaches: wherein the at least one processor is programmed to, based on the routing rules, transmit the RBA result data to the ACS if the risk level is medium (“[0031] In another aspect described herein, the RBD system sends risk-based decisioning data to the issuer's ACS”), 
	 The combination of Tomasofsky and Strayer doesn’t teach/suggest : but Powell teaches in an analogous art of tokenization concepts used in payment transactions (¶¶ 25-26), teaches/suggests the concept(s) of:
wherein the ACS is configured to perform a step-up challenge (“[0064] An “agent” may be an entity appointed by the issuer to perform specific functions on behalf of the issuer. Exemplary functions may include card processing, cardholder verification using the 3-D Secure protocol, and token service. For example, an Access Control Server (ACS) may be an agent of the issuer that provides a 3D-Secure service for identification and verification (ID&V).”)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of wherein the ACS is configured to perform a step-up challenge, as taught/suggested by Powell, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of more versatile system capable of fulfilling various system configurations. Furthermore, it was well within the capabilities of a person having ordinary skill in the art to have realized that the expected results of a step-up authentication (such as offered through SD Secure protocol) would be the same regardless of whether the ACS or other entity performs step-up challenge. Namely, further security would be achieved either way by requiring further authentication from the user.
Further concerning claim 10, claim analysis is highly fact-dependent. A claim is only limited by positively recited elements. See MPEP § 2115. Also see MPEP § 2111.04.I. Here, the "Wherein" clause(s) of “wherein the ACS is configured to perform a step-up challenge” raises questions as to the limiting effect of the clause’s language upon the claim. This “wherein” clause(s) includes an attempt to further limit the ACS, which isn’t even a positively recited subcomponents of the claimed authentication platform. Therefore, the "wherein" clause(s) is/are not found to limit the claim because the clauses do not give "meaning and purpose to the manipulative steps” of the claimed invention. See MPEP § 2111.04.I and/or Griffin v. Bertina, 283 F.3d 1029, 1034, 62 USPQ2d 1431 (Fed. Cir. 2002).

	As per claim 17, the combination of Tomasofsky and Strayer teaches the method of Claim 13, Tomasofsky further teaches:  wherein routing the RBA result data further comprises:
determining a risk level based on the RBA result data and the authentication profile (Tomasofsky ¶ 28 – “The RBD system also generates a payment card score from the payment card information and combines the payment card score with the session trust level to generate an overall transaction risk level for the payment card transaction.”);
transmitting a step-up challenge to the online user if the risk level is medium (Tomasofsky ¶ 35 – “If the score is above a pre-defined threshold (i.e., “more risky”) [“medium”], then the transaction will undergo additional, direct authentication of the suspect consumer (e.g., a 3DS “step-up” challenge).” And Tomasofsky ¶ 25 – “During some known 3-D Secure transactions, the suspect consumer (i.e., the consumer attempting to perform the payment card transaction with the merchant) is presented with an authentication challenge, sometimes called a “step-up challenge.” This step-up challenge generally requires the suspect consumer to provide a password, or a passcode from a second factor user device, before the transaction will be processed” and Tomasofsky ¶ 119 – “may also prompt additional authentication challenge of suspect consumer 902.”);
receiving a response to the step-up challenge from the online user (Tomasofsky ¶ 25 – “This step-up challenge generally requires the suspect consumer to provide a password, or a passcode from a second factor user device, before the transaction will be processed”); and 
determining an authentication decision based on the response to the step-up challenge and the RBA result data (Tomasofsky ¶ 36 – “having to answer an additional authentication challenge during a transaction” and Tomasofsky “[0030] In some embodiments, the RBD system may be provided as a service to issuing banks. In other words, the RBD system may provide scores to an issuer's access control system (ACS), and the ACS may make decisions based at least in part on the risk scores or risk data available from the RBD system.”, the authentication decision is based on information provided by the RBD and additional authentication challenge, when required).
	
The combination of Tomasofsky and Strayer doesn’t explicitly disclose, but Powell, in an analogous art of tokenization concepts used in payment transactions (¶¶ 25-26), teaches/suggests the concept(s) of:
wherein the ACS is configured to perform a step-up challenge (“[0064] An “agent” may be an entity appointed by the issuer to perform specific functions on behalf of the issuer. Exemplary functions may include card processing, cardholder verification using the 3-D Secure protocol, and token service. For example, an Access Control Server (ACS) may be an agent of the issuer that provides a 3D-Secure service for identification and verification (ID&V).”)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of wherein the ACS is configured to perform a step-up challenge, as taught/suggested by Powell, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of more versatile system capable of fulfilling various system configurations. Furthermore, it was well within the capabilities of a person having ordinary skill in the art to have realized that the expected results of a step-up authentication (such as offered through SD Secure protocol) would be the same regardless of whether the ACS or other entity performs step-up challenge. Namely, further security would be achieved either way by requiring further authentication from the user. 
 
As per claim 20, the combination of Tomasofsky and Strayer teaches the method of Claim 19, Tomasofsky further teaches:  wherein to route the RBA result data, the computer-executable instructions cause the at least one processor to:
determine a risk level based on the RBA result data and the authentication profile (Tomasofsky ¶ 28 – “The RBD system also generates a payment card score from the payment card information and combines the payment card score with the session trust level to generate an overall transaction risk level for the payment card transaction.”);
generate the authentication decision as an authentication approval in response to the risk level being low (Tomasofsky ¶ 35 – “the RBD system scores the subject transaction based at least in part on the transaction data and the infrastructure data. If the score is below the pre-defined threshold (i.e., “less risky”), then the transaction will be approved at this stage and subsequently will continue through to authorization without additional authentication of the suspect consumer” and ¶ 31 – “the RBD system sends risk-based decisioning data to the issuer's ACS via an extension message to the 3DS protocol”);
in response to the risk level being medium, the computer-executable instructions cause the at least one processor to:
transmit a step-up challenge to the online user if the risk level is medium (Tomasofsky ¶ 35 – “If the score is above a pre-defined threshold (i.e., “more risky”) [“medium”], then the transaction will undergo additional, direct authentication of the suspect consumer (e.g., a 3DS “step-up” challenge).” And Tomasofsky ¶ 25 – “During some known 3-D Secure transactions, the suspect consumer (i.e., the consumer attempting to perform the payment card transaction with the merchant) is presented with an authentication challenge, sometimes called a “step-up challenge.” This step-up challenge generally requires the suspect consumer to provide a password, or a passcode from a second factor user device, before the transaction will be processed” and Tomasofsky ¶ 119 – “may also prompt additional authentication challenge of suspect consumer 902.”);
receive a response to the step-up challenge from the online user (Tomasofsky ¶ 25 – “This step-up challenge generally requires the suspect consumer to provide a password, or a passcode from a second factor user device, before the transaction will be processed”);
and determine the authentication decision based on the response to the step-up challenge and the RBA result data- and generate the authentication decision as an authentication denied message in response to the risk level being high (Tomasofsky ¶ 36 – “having to answer an additional authentication challenge during a transaction” and Tomasofsky “[0030] In some embodiments, the RBD system may be provided as a service to issuing banks. In other words, the RBD system may provide scores to an issuer's access control system (ACS), and the ACS may make decisions based at least in part on the risk scores or risk data available from the RBD system.”, the authentication decision is based on information provided by the RBD and additional authentication challenge, when required).

The combination of Tomasofsky and Strayer does not explicitly disclose, but Powell, in an analogous art of tokenization concepts used in payment transactions (¶¶ 25-26), teaches/suggests the concept(s) of:
wherein the ACS is configured to perform a step-up challenge (“[0064] An “agent” may be an entity appointed by the issuer to perform specific functions on behalf of the issuer. Exemplary functions may include card processing, cardholder verification using the 3-D Secure protocol, and token service. For example, an Access Control Server (ACS) may be an agent of the issuer that provides a 3D-Secure service for identification and verification (ID&V).”)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of wherein the ACS is configured to perform a step-up challenge, as taught/suggested by Powell, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of more versatile system capable of fulfilling various system configurations. Furthermore, it was well within the capabilities of a person having ordinary skill in the art to have realized that the expected results of a step-up authentication (such as offered through SD Secure protocol) would be the same regardless of whether the ACS or other entity performs step-up challenge. Namely, further security would be achieved either way by requiring further authentication from the user. 

Conclusion
THIS ACTION IS MADE Non-FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YIN Y CHOI whose telephone number is (571)272-1094 or yin.choi@uspto.gov.  The examiner can normally be reached on M-F 7:30 - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on 571-270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/YIN Y CHOI/Examiner, Art Unit 3685                                                                                                                                                 6/20/2022