Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application.  This application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid. Applicant's submission filed on 02/04/2022 has been entered.

Status of Claims
Claims 1, 2, 10, and 17 have been amended. Claims 1-20, as filed 02/04/2022, are examined herein. No new matter is included in the amended claims.

Response to Arguments
Applicant’s arguments and amendments have been carefully considered.
The rejection under 35 USC 101 was withdrawn in the Final Rejection dated 10/04/2021.
Regarding the rejection under 35 USC 103, Applicant argues (page 11-14 of the Remarks) that  the cited references do not teach or suggest: 1)  authenticating, by the directory server, the cardholder based on the m-OTP retrieved from the transaction message and a second m-OTP generated by the directory server or an issuer system using the at least one algorithm, wherein the mobile application is configured with the directory server or the issuer system; and 2)  sending, by the directory server, the transaction message to the issuer system for authorization upon authenticating the cardholder, wherein the issuer system authorizes the transaction message by matching the m-OTP generated by the mobile application and a third m-OTP generated by the issuer system using the at least one algorithm. The examiner finds this argument to be moot in view of new grounds of rejection in regards to the independent claims.

Claim Rejections - 35 USC § 112
Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. 
Claims 1 and 10 recite the limitation “wherein the mobile application is configured with the directory server or the issuer system”. The meaning of “configured with” is not clear in this context, and the specification does on clarify this uncertainty. Examiner notes that for the purpose of examination, the broadest reasonable interpretation of “configured with” includes “configured to communicate with”.
Claim 17 recites the limitation “an issuer mobile application configured in a cardholder's device without using a network connection”. The meaning of this limitation is not clear and the specification does not clarify the uncertainty. 
Claims 2-9, 11-16, and 18-20 stand rejected due to dependency. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 6-10, and 13-19 are rejected under 35 U.S.C. 103 as being unpatentable over KR-2014117079-A (Dong) and US 8527417 (Telle). Page numbers in Dong refer to the English translation. 

Claims 1 and 10:  Dong teaches: A computer-implemented method comprising: 
generating a mobile-One Time Password (m-OTP) with a mobile application configured on a cardholder's device without using a network connection, the m-OTP generated based on at least one algorithm; (FIG. 2 #200; page 4 paragraph 1 “one time password”; and page 7, para 7 “OTP generating device”)
receiving, by a directory server, a transaction message comprising transaction information for authorization, from an acquirer system, wherein the transaction message comprises at least the m-OTP, wherein the m-OTP was submitted into a merchant system, wherein the merchant system provided the transaction message to the acquirer system for completing a transaction; (FIG. 2 #110 and S130; page 6 para 4; page 5 paragraph 5 “communication company system”)
authenticating, by the directory server, a cardholder based on the m-OTP retrieved from the transaction message and a second m-OTP generated by the directory server or an issuer system using the at least one algorithm, wherein the mobile application is configured with the directory server or the issuer system;  (FIG. 2 #200; page 3, paragraph 16 “generated by … ”; page 4 paragraph 1 “one time password”; and page 6, paragraph 6 ”PG system … performs an authentication process”.)
sending, by the directory server, the transaction message to  the issuer system for authorization upon authenticating the cardholder, wherein the issuer system authorizes the transaction message  by matching the m-OTP generated by the mobile application and a third m-OTP generated by the issuer system using the at least one algorithm; (FIG. 2 #100)
receiving, by the directory server, a response message comprising a result of authorization of the transaction message, from the issuer system; and (Page 7 para 11 “mobile payments may be allowed temporarily”)
Dong teaches a control signal (page 8 para 1-8) but does not explicitly teach a response message. Dong does not explicity teach, but Telle does teach:
providing, by the directory server, the response message to the merchant system via the acquirer system. (col. 16 lines 24-51 “PARes” )
One of ordinary skill in the art is motivated, as of the filing date of the instant application, to modify the transaction system of Dong with the PAReq and PARes messages of Telle, because Telle explicitly teaches (col. 1 lines 43-45) the motivation of enhanced security in financial transactions by using a one time password. 

Claim 2:  Dong in view of Telle teaches: The method as claimed in claim 1, and
Dong further teaches:
wherein the transaction message comprises an identifier, wherein the identifier indicates that the transaction message comprises the m-OTP and is differentiated from other types of transaction messages using the identifier by the directory server which do not comprise the m-OTP. (Page 7 para 1 “identification information”)

Claims 3, 13, and 19. Dong in view of Telle teaches: The method as claimed in claim 2, and
Dong further teaches:
wherein the identifier is inserted in one of a Message Type Identifier (MTI), a bitmap or data elements of the transaction message. (Page 7 para 1 “QR code”)

Claim 6: Dong in view of Telle teaches: The method as claimed in claim 1, and Dong further teaches:
wherein the transaction information comprises at least one of, a primary account number of the cardholder, a processing code, a transaction amount, a transaction date and time, an acquirer system identification code, a currency code, an issuer system identification code, and mode of authentication comprising the second m-OTP,  generated by the issuer system, a static password and biometric pattern information. (Page 8 para 1)

Claims 7 and 14: Dong in view of Telle teaches: The method as claimed in claim 1, and Telle further teaches: 
wherein the response message is generated based on authenticating the m-OTP and authorizing the transaction message. (col. 16 lines 24-51 “PARes” )

Claims 8 and 15: Dong in view of Telle teaches: The method as claimed in claim 1, and Telle further teaches: 
wherein the response message is generated based on authenticating the m-OTP.  (col. 16 lines 24-51 “PARes” )

Claims 9, 16 and 18: Dong in view of Telle teaches the method of claim 8, and Telle further teaches:
wherein the transaction message includes a payer authentication request (PAReq) message.(Col. 5 lines 44-54)

Claim 17: Dong teaches: A computer-implemented method of authorizing transactions, comprising: 
receiving, by a merchant system, a mobile-One Time Password (m-OTP) as input for initiating a transaction, wherein the m-OTP was generated by an issuer mobile application configured in a cardholder's device without using a network connection, the m-OTP generated based on at least one algorithm; (FIG. 2 #200; page 4 paragraph 1 “one time password”; and page 7, para 7 “OTP generating device”)
providing, by the merchant system, the transaction message comprising the m-OTP to an acquirer system, wherein the acquirer system includes an authentication request in the transaction message and provides the transaction message to a directory server, wherein the directory server authenticates a cardholder based on the m-OTP retrieved from the transaction message and a second m-OTP generated by the directory server or an issuer system using the at least one algorithm, wherein the issuer mobile application is configured with the directory server or the issuer system, wherein an authorization request message is sent to the issuer system, upon authenticating the cardholder, for authorizing the transaction message, wherein the issuer system authorizes the transaction message by matching the m-OTP generated by the issuer mobile application and a third m-OTP generated by the issuer system using the at least one algorithm and, wherein a response message comprising a result of authorization is generated by the issuer system; and (FIG. 2 #200; page 3, paragraph 16 “generated by … ”; page 4 paragraph 1 “one time password”;  page 6, paragraph 6 ”PG system … performs an authentication process”; and page 8 paragraph 1-7.)
Dong does not explicitly teach, but Telle does teach:
generating, by the merchant system, a transaction message comprising an identifier and the m-OTP, wherein the identifier indicates that the transaction message comprises the m-OTP and is differentiated from other types of transaction messages that do not comprise an m-OTP; (Col. 15 lines 4-26 “PAReq”)
receiving, by the merchant system, the response message from the directory server via the acquirer system. (col. 16 lines 24-51 “PARes” )

Claims 4 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over KR-2014117079-A (Dong) and US 8527417 (Telle) and in further view of US 20200314091 (Master). 

Claims 4 and 20. Dong in view of Telle teaches: The method as claimed in claim 1,
Dong in view of Telle does not explicitly teach, but Master does teach: 
wherein the m-OTP is a time- based password. ([0021])
One of ordinary skill in the art is motivated, as of the effective filing date of the instant application, to modify the transaction system of Dong in view of Telle with the time-based password of Master because Master explicitly teaches [0019-0021] the motivation of enhanced security in financial transactions by using a time-based OTP. 

Claims 5 and 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over KR-2014117079-A (Dong) and US 8527417 (Telle) and in further view of US 20080154770 (Rutherford).

Claims 5 and 12. Dong in view of Telle teaches: The method as claimed in claim 1, 
Dong does not teach, but Rutherford does teach:
wherein the transaction message is formatted according to IS0 8583 standard. ( [0079] )
One of ordinary skill in the art is motivated, as of the effective filing date of the instant application, to modify the transaction system of Dong in view of Telle with the use of ISO of Rutherford, because Rutherford explicitly teaches [0006-0007] the motivation of standardized transaction protocols. 

Claim 11:  Dong in view of Telle teaches: The directory server as claimed in claim 10. Dong in view of Telle does not explicitly teach, but Rutherford does teach:
wherein the one or more processors are configured to differentiate the transaction message comprising the m-OTP from other types of transaction messages that do not comprise an m-OTP, using an identifier in the transaction message, wherein the m-OTP is a time-based password and wherein the transaction message is according to IS08583 standard. ([0176], [0079], [0204])


 



Conclusion

	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20020004783 (Paltenghie) [0046] The local residence of the wallet may comprise, for example, the owner's personal computer, smart card, or other similar device that enables the wallet to be utilized off-line. [0065] wallet issuer server  [0079]public key directory [0078] Referring to FIG. 7, another advantageous feature of the present invention is the ability to generate, publish and index a public/private key pair. An advantage of a virtual wallet system of the present invention is that the local aspect may generate a public/private key pair 
US 20100107229 (Najafi) Verisign. [0007] Generate time-based OTP on a mobile device.  [0025] validation server 
US 20110130120 (Hoeksel) Vodaphone. generation of time-dependent password in a mobile device.
US 20110208658 (Makhotin) [0042] directory server, issuer server.  [0029] For each transaction, a unique cryptogram is generated. The cryptogram can be generated on the portable consumer device or, alternatively, on the access device. 
US 20110321146 (Vernon)  Method for securely sending a network one-time-password (OTP) from a user computer to an authentication server. FIG. 16 #1609 “construct OTP” [0073] …the merchant terminal environment is modified to include a network password generator 410. The network password generator may be implemented internally in the merchant terminal or in a separate unit that interfaces with the merchant terminal. The terminal sends its standard terminal password (e.g., serial number and merchant ID) to the network password generator. A time interval number sequence 411 is also input to the network password generator, which generates a time-multiplexed network password 412 by inserting the appropriate time intervals between the packets of the terminal password, as specified by the time interval number sequence.
US 20120284187  (Hammad) [0079] “For use with VisaNet, BASE I, and SMS, those messages may be variations of the International Organization for Standardization (ISO) 8583 message, which is the international standard for the format of financial messages. Each message may contain a bit map that specifies the data fields that appear in the message, a message type identifier, and those fields that are needed for the specific function intended. The message header contains basic message identifiers and routing information, along with message processing control codes and flags. The message type identifier specifies the message class and the category of the function that is to be implemented. For instance, 0100 may indicate a transaction authorization request. As noted, a bit map specifies which data fields are in a message. In addition to a primary bit map, messages can include secondary (and other) bit maps. Each map typically contains 64-bit fields, corresponding to the number of possible fields in a message. The data fields contain the information needed to process a message.
US  20160034889 (Downs) [0049] (emphasis added) “The acquirer 2006 will present transactions from many different merchants 2004 to the payment card network operator 2008 via the PNIP interface 2012. The connection between the merchants 2004 and the acquirer 2006 is typically a TCP/IP interface 2016. The format that the transaction is in when the card is swiped at the merchant 2004 may differ from the format that the transaction is in when actually received by the payment card network operator. The acquirer may convert the transaction into the ISO 8583 format or into a format that is a specific implementation of the ISO 8583 format (e.g., the MASTERCARD CIS (customer interface specification) format. The authorization request message can be an ISO 8583 message type identifier (MTI) 0100 message, for example, sent over the communications interface 2016 between the merchant 2004 and the acquirer 2006.”
US 20160034900 (Nelson) [0043] (emphasis added)  “An “International Organization for Standardization (ISO) 8583 messaging standard” may define how messages are formatted and transmitted by systems exchanging transaction requests and responses. The ISO 8583 messaging standard is a standard for systems that exchange electronic transaction information associated with a payment made by a consumer using a payment device or a payment account. The ISO 8583 messaging standard may define a message format including a message type identifier (MTI), bitmaps, and data elements. The MTI may be 4 digits that describe the message type including the relevant ISO 8583 version, message class, message function, and message origin. Within ISO 8583 standards, a bitmap may indicate which data elements or data element subfields (e.g., amongst fields 1 through 128) may be present elsewhere in an ISO 8583 message. The data elements may be the fields carrying the actual transaction information related to a transaction for which the message is involved. The standard may define permitted content, attributes, and field length of certain data fields.”
US 20180007172 (Wang) teaches [0064] a PIN dialogue message including PIN dialogue parameters.
US 20180026715 (Zhao) [0090] (emphasis added) “The generated first message includes at least the following fields: a first message type identifier (Message type ID) field, used to identify a type of the first message, where for the type of the first message, refer to 19 downlink PLOAM messages and nine uplink PLOAM messages that are specified in the existing GPON standard protocol ITU-T G.984.3 and respectively used for ONU registration, ONU-ID allocation, ranging, data encryption, status monitoring, password authentication, bit error rate monitoring, and the like; a message length field, used to identify a length of a fragment carried in the first message; an action indication field, used to identify whether the fragment carried in the first message is the last fragment; a first fragment sequence number (Fragment SeqNo) field, used to identify a sequence number of the fragment carried in the first message; and a message content field, used to carry a fragment in the multiple fragments.”
US 20180310174 (Rougier) [0025] This invention may utilize a time-based HMAC generation algorithm. This TOTP (Time-based One-Time Password) algorithm uses the shared secret between the controller and the cloud-server, and the current timestamp to create a one-time password. …  This is accomplished by pre-sharing offline the authentication key or secret.
US 20190392450 (Gosset) [0025] The RBA-enabled directory server generates risk-based authentication result data based on the extracted authentication data…  [0037]  issuer computing device [0102] OTP 
US 20190043046 (Jamieson) [0012] Encryption may comprise key based encryption. Encryption may comprise asymmetric encryption. Encryption may comprise public and private key encryption. The purchaser program may be configured to generate a one-time password (OTP) by way of a Time-based One-time Password (TOTP) algorithm and to encrypt the payment message with the OTP. Alternatively or in addition, the payment handling apparatus may be configured to generate an OTP by way of a TOTP and to encrypt the confirmation message with the OTP. [0019] Where there are plural vendor's devices, such as a row of point of sale apparatus, the payment code may be operative to provide for matching between the appropriate vendor's device and the purchaser's device. Where the payment code comprises random data, the random data may be operative to make the payment code unique whereby there is matching between the appropriate vendor's device and the purchaser's device. [0075] Where there are plural vendor's devices, such as a row of point of sale apparatus, the payment code is operative to provide for matching between the appropriate vendor's device and the purchaser's smartphone. The random data comprised in the payment code makes the payment code unique whereby matching between the appropriate vendor's device and the purchaser's device is achieved.
US 20200314091 (Master) [0020]  A key advantage of this mechanism is that the generating client need not be connected to the iOTP server or the API, instead it can be completely offline. Recognition of the iOTP depends only on secrets and identity data that is pre-provisioned into the generating client. [0073] authorization [0044] iOTP server
US 20210081923 (Rafferty) [0007] OTP generated by FOB [0044] Also disclosed is a method of authentication, comprising the generation and comparison of ephemeral candidate word strings to authenticate payments in both online and offline scenarios, using pre-identified time segments, the transaction value and other cryptographic methods to prevent an adversary from equally attempting to guess and generate stings to authenticate unauthorised payments. 
 US 10395462 (Ates) Col. 10 lines 6-20 “The UCAF (Universal Cardholder Authentication Field) data field is a multipurpose data transport area in a digital message to allow communication of authentication data to an Issuer from an Acquirer over any form of telecommunications network. For example, the UCAF can be a 32-character field (24 bytes—1 control byte and 23 data bytes—that are base-64 encoded to become 32 characters) with a flexible data structure that can be tailored to support the needs of a variety of Issuer security and authentication requirements. For example, ISO 8583 Data Element 48, sub-element 43 may be designated to contain the UCAF. The term UCAF also extends to referring to the interface defined to pass data between the Merchant and the MCD and back again, i.e. the field names in the specification for any given channel.”
US 6687700 (Cornelius) (71) (emphasis added) “The transaction manager 26 references the security database 30 in preparation for the transmission of the data message from the intermediary communications node 14 to the destination communications device 42. The transaction manager 26 may reference a message type identifier, a source identifier, or a destination identifier of the data message to determine the applicable submittal password and submittal log-in identifier to be retrieved from the security database 30.”
US 20140281506 (Redburg) teaches a “mobile device of a user of a secure network resource receives and installs a soft token application. A unique device ID of the mobile device is programmatically obtained by the soft token application. A seed for generating a soft token for accessing the secure network resource is requested by the soft token application. Responsive to receipt of the seed by the soft token application, the soft token is generated based on the seed and the soft token is bound to the mobile device by encrypting the seed with the unique device ID and a hardcoded pre-shared key.”
US 8646062 (Bouz) Claim 1. (emphasis added) A method for authenticating users by presenting a previously acquired signed digital signature, the method comprising: ….and in response to receiving from the server, in reply to the session establishment message, a challenge message comprising the unique username, a challenge message type identifier that is different from the establishment message type identifier, and a unique secure facilitator session identification indicia, replying to the server with a request message comprising service type identifier indicating a service requested by the user for execution by the server and that is different from the challenge message type identifier and the establishment message type identifier, and the unique session identification indicia, …..”

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CLAIRE A RUTISER whose telephone number is (571)272-1969.  The examiner can normally be reached on 8:00 AM to 5:00 PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Calvin L Hewitt can be reached on 571-272-6709.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


CLAIRE A. RUTISER
Examiner
Art Unit 3692

	

/C.A.R./Examiner, Art Unit 3692                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
/ERIC T WONG/Primary Examiner, Art Unit 3692