DETAILED ACTION
 
Acknowledgements
 
This action is in response to Applicant’s filing on May 13, 2022, and is made Non-Final. This action is being examined by James H. Miller, who is located in Dallas, Texas, in the central time zone (CST), and who can be reached by email at James.Miller1@uspto.gov or by telephone at (469) 295-9082. 
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. Examiner is available for interviews, generally: M–F, 10 a.m.–4:00 p.m., CST.

Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on May 13, 2022, has been entered.

Oath/Declaration
A properly executed inventor’s oath or declaration has been received on Feb. 17, 2022, and is acknowledged for the following inventor: Ankur SAMBHAR.

Claim Status
 
The status of claims is as follows: 
Claims 1–20 are pending, entered, and examined with Claims 1 and 11 in independent form. 
Claims 1, 2, 3, 5, 7, 9, 11, 12, 13, 15, 17, and 19 are amended.
No Claims are added or cancelled.

Response to Amendment
 
Applicant's Amendment has been reviewed against Applicant’s Specification filed Oct. 31, 2019, [“Applicant’s Specification”] and accepted for examination. No new matter was entered. 
Applicant's Amendment to address the rejections under 35 U.S.C. § 112(a) has been reviewed and has overcome each and every rejection under § 112(a) previously set forth in the Final Office Action mailed Feb. 15, 2022, [“Final Office Action”]. The rejections of Claims 1–20 under § 112(a) is withdrawn.
Applicant's Amendment to address the rejection under 35 U.S.C. § 112(b) has been reviewed and has overcome each and every rejection under § 112(b) previously set forth in the Final Office Action. The rejection of Claims 1–20 under § 112(b) is withdrawn.


Response to Arguments
35 U.S.C. § 101 Argument
	Applicant argues the amended claims recite an improvement in security for electronic payment transactions and therefore, does no recite an abstract idea exception. Applicant’s Reply at *13; MPEP § 2106.05(a). Applicant’s argument has been fully considered but is not persuasive for the reasons here and in the § 101 rejection below. The claims are not focused on an improvement in technology or technical field but on certain independently abstract ideas that use computers as tools. MPEP § 2106.05(a). 
“[A] claim whose entire scope can be performed mentally, cannot be said to improve computer technology.” MPEP 2106.05(a) (citation omitted). “Similarly, a claimed process covering embodiments that can be performed on a computer, as well as embodiments that can be practiced verbally or with a telephone, cannot improve computer technology. Id. (citation omitted). The “determining … a plurality of transaction attributes for the transaction request”; “determining … a security authorization mode for the transaction request based on the plurality of one or more transaction attributes”; the “executing … an authentication rule for the transaction request”; “requiring an authorization input from the user responsive to the authentication request”; “upon receiving a proper authentication input, verifying the user and proceeding with the transaction request” and “upon receiving an improper authentication input, … activating an additional security authentication mode requiring biometric input information” limitations can all be performed without the aid of a computer. The substantive amendment indicated by underline supra merely invokes “additional security authentication mode require biometric information,” which under BRI, can be a request to view a driver’s license when cashing a check or making a transaction.  A picture on a driver’s license is “biometric information.” The “determining” steps are simple mental processes that predate the computer. The claimed computer components are generic. E.g., Spec. ¶¶ [0043]–[0048] (describing generic programmed processor, memory, authentication rules selection engine), ¶ [0041] (generic communication network), ¶ [0021] (generic wifi network), ¶ [0014] (unspecified machine learning and neural networks (software)). The computer is merely used as a tool. Therefore, the pending claims do not improve the computer or computer technology. MPEP § 2106.05(a). Authenticating users for transactions and asking for identification such as a driver’s license containing a photo as a condition of the transaction is a long-standing fundamental economic principle/practice under organizing human activity. MPEP § 2106.04(a)(2)(II)(A).
Applicant argues the amended claims recite a practical application to “enhance[] security in executing electronic transactions using a hierarchy of rule-based security authentication modes.” Applicant’s Reply at *14. Applicant’s argument has been fully considered but is not persuasive for the reasons here and in the § 101 rejection below. A practical application cannot be found in the abstract idea exception itself. MPEP § 2106.05. Here, as explained supra, the amended claims under BRI recite a long-standing fundamental economic principle/practice under organizing human activity. The additional elements are limited to the computer components, are claimed at a high-level, and are generic.
Applicant argues the amended claims recite significantly more that the alleged abstract idea under Step 2B. Applicant’s Reply at *15. Specifically, “[t]he non-conventional system and method provide for the creation and execution of a hierarchy of rule-based security authentication modes that provide for a progressively increasing level of security [not claimed] when an improper or unauthorized security authentication input is received. More specifically, when in [sic] improper security authentication input is detected, either by improper entry or by unauthorized access [not claimed], the system and method automatically inform the user of the improper security authentication input via one or more modes of electronic communication, and simultaneously activates an additional security authentication mode requiring biometric input information providing substantially higher degree of security.” Id. (emphasis Examiner). Applicant’s argument has been fully considered but is not persuasive for the reasons here and in the § 101 rejection below. First, as claimed, the system recites conditional limitations that may or may not always be performed such as “proper authentication” and “improper authentication”. For the method claims, only one condition would be given weight. Ex Parte Schulhauser, Appeal No. 2013-007847 (PTAB April 28, 2016). See M.P.E.P § 2111.04; see also M.P.E.P. §§ 2103(c) and 2173.05(h). Even if the alternative steps were not recited, “progressively increasing level of security“ and “unauthorized access” is not explicitly claimed—merely a single increase in security of “biometric input authentication,” which as Examiner explained could be displaying a driver’s license or passport containing a photo upon request during a transaction. Therefore, the italicized argument indicated supra are features that are not explicitly claimed. Next, as explained supra, the amended claims recite a long-standing fundamental economic principle/practice under organizing human activity. The additional elements are limited to the computer components, are claimed at a high-level, and are generic. The same argument applies at Step 2B as in Step 2A, Prong Two. The abstract idea cannot provide the inventive concept. MPEP § 2106.05. The pending claims in their ordered combination of elements is also not inventive. First, the claims are directed to an abstract idea. Second, each claim element represents a currently available generic computer technology, used in the way in which it is commonly used (individually generic). Last, Applicant’s Specification discloses that the ordered combination of elements is not inventive. Spec., ¶ [0033] (steps may be performed in any order); ¶ [0043] (same).
35 U.S.C. § 103 Argument

Applicant argues the combination of prior art does not disclose the amended limitation of “providing … feedback to the user … based on the user’s learned spending habits and patterns” because the cited portions of Arora merely disclose user feedback based on something other than “spending habits and patterns” as amended. Examiner respectfully disagrees. See Arora, ¶ [0083], “The user specific learner 122 can be used to learn user behavior and patterns based on feedback from user devices for authentication events recorded by the authentication system 100…. For example, if the authentication system 100 prompts a user for authentication using a fingerprint authenticator, but the user 106 overrides the prompt and prefers to use iris authentication instead, the authentication system 100 records this event and uses it as a learning event. Learning events can be used to fine tune the authentication model via the user specific learner 122 so that each authentication rule set 112 is specific to each user as deployed on each specific user's device.” “Authentication events” as disclosed by Arora, ¶ [0083], occur contemporaneously with and corresponds to payment (spending) transactions. Arora, ¶¶ [0030], [0031].
Applicant’s remaining arguments with respect to Claims 1–20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 101
 
35 U.S.C. 101 reads as follows:
 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
 
Claims 1–20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., an abstract idea) without significantly more. 
Analysis
Step 1: Claims 1–20 are directed to a statutory category. Claims 1–10 recite  “a system” and are therefore, directed to the statutory category of “a machine.” Claims 11–20 recite  “a method” and are therefore, directed to the statutory category of “a process.” 
Representative Claim
 
Claim 1 is representative [“Rep. Claim 1”] and recites, in part, emphasis added by Examiner to bold limitations indicating generic computer components, and letters for clarity in describing the limitations:
1. A system 

[A] for implementing a hierarchy of rule-based security authentication modes, the system comprising: 

[B] a memory component that stores one or more user authentication profiles; and

[C] an authentication rule selection engine including a computer processor, coupled to the memory component, the computer processor programmed to perform operations, including: 

[D] receiving from a user, via the computer processor, a selection of a plurality of authentication profiles, the authentication profiles including one or more security authentication modes based on one or more attributes for a potential user transaction request; 

[E] learning, via the computer processor, the user's spending habits and patterns; 

[F] providing, via the computer processor, feedback to the user including one or more suggestions to update the user selection of the plurality of authentication profiles based on the learned user’s spending habits and patterns; 

[G] receiving, via a transaction gateway, a transaction request associated with a payment instrument from a user at a point-of-sale system;

[H] determining, via the computer processor, a plurality of transaction attributes for the transaction request including a transaction location, a transaction merchant, a transaction type, a transaction amount, and a wifi network for the transaction request; 

[I] determining, via the computer processor, a security authorization mode for the transaction request based on the plurality of transaction attributes;

[J] executing, via the computer processor, an authentication rule for the transaction request; 
[K] transmitting, via a communication network, an authentication request via the security authorization mode based on the authentication rule;

[L] requiring an authorization input from the user responsive to the authentication request; 

[M] upon receiving a proper authentication input, verifying the user and proceeding with the transaction request; and

[N] upon receiving an improper authentication input, automatically informing the user of the improper authentication input via one or more modes of electronic communication, and activating an additional security authentication mode requiring biometric input information.

Claims are directed to an abstract idea exception.

Step 2A, Prong One: Rep. Claim 1 recites “implementing a hierarchy of rule-based security authentication modes,” in the preamble, Limitation A; “receiving from a user … one or more security authentication modes based on one or more attributes for a potential user transaction request” in Limitation D; “receiving … a transaction request” in Limitation G; “determining … a plurality of transaction attributes for the transaction request” in Limitation H; “determining … a security authorization mode for the transaction request based on the plurality of transaction attributes” in Limitation I; “executing … an authentication rule for the transaction request” in Limitation J; “transmitting … an authentication request via the security authorization mode based on the authentication rule” in Limitation K; “requiring an authorization input from the user responsive to the authentication request” in Limitation L; “verifying the user and proceeding with the transaction request” “upon receiving a proper authentication input” in Limitation M; and “activating an additional security authentication mode requiring biometric input information” “upon receiving an improper authentication input” in Limitation N, which recites the abstract idea exception of certain methods of organizing human activity. MPEP § 2106.04(a)(2)(II). The particular form of organizing human activity is indeterminate and falls into each of the three particular forms: commercial or legal interactions (sales activities);  fundamental economic principles or practices (mitigating risk); and managing interactions between people (following rules or instructions). Id. 
Step 2A, Prong Two: The claims do not contain additional elements that integrate the abstract idea exception into a practical application because the additional elements: (1) are mere instructions to apply the abstract idea exception; and/or (2) further limits the abstract idea exception. The additional elements are: an authentication rule selection engine comprising a computer processor, coupled to a memory component, a transaction gateway, a point-of-sale system, a communication network, a wifi network; and Limitations E & F.
Regarding the an authentication rule selection engine comprising a computer processor, coupled to a memory component, a transaction gateway, a point-of-sale system, a wifi network, and a communication network [collectively, “computer components”], Applicant’s Specification does not otherwise describe them or describes them using exemplary language as part of a general purpose computer, so Examiner assumes Applicant intended merely generic computer components. E.g., Spec. ¶¶ [0043]–[0048] (describing generic programmed processor, memory, authentication rules selection engine), ¶ [0041] (generic communication network), ¶ [0021] (generic wifi network). Limitation B describes the memory component storing data. Limitation C describes the authentication rule selection engine and computer processor, coupled to the memory component. Examiner interprets coupled as “transmitting and receiving data.” Limitation C further describes the computer processor being programmed, which is interpreted as storing software instructions. This takes generic hardware/software and describes the functions of receiving, storing, and transmitting data (instructions) between the processor and memory component, which merely invokes computers or other machinery in its ordinary capacity to receive, store, or transmit data. MPEP § 2106.05(f)(2). Limitations D and G–N describe the “computer components,” performing the steps of the claimed invention, which represents the abstract idea itself. Performing the steps of the abstract idea itself simply adds a general purpose computer after the fact to an abstract idea exception, MPEP § 2106.05(f)(2), or generically recites an effect of the judicial exception. MPEP § 2106.05(f)(3).
Limitations E & F recite the authentication rule selection engine comprising a computer processor and coupled to a memory component “learning … the user’s spending habits and patterns” (Limitation E) and “providing … feedback to the user, including one or more suggestions to update the user selection of the plurality of authentication profiles based on the learned user's spending habit and patterns” (Limitation F), which recite simple mental process. MPEP § 2106.04(a)(2)(III). These limitations, as drafted, recite a simple mental process that under the broadest reasonable interpretation, cover performance in the human mind or with pen and paper, but for the recitation of the generic computer components. For example, but for the generic computer components claim language, the claim encompasses a consultant speaking with a user about their spending habits and patterns, forming a simple mental judgment about them, and offering suggestions. In further support that Limitations E & F may be performed in the human mind or with pen and paper, the spending habit, patterns, suggestions, and leaning is under BRI, not limited by any particular data structure, may be formatted in any non-computer readable format, and may comprise any information sufficient to identify the relevant information, such as handwritten text and spoken conversation. If a claim limitation under BRI, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract idea exception. MPEP § 2106.04(a)(2)(III). The inventive concept cannot be furnished by an abstract idea exception. MPEP § 2106.05 (citing and quoting RecogniCorp, LLC v. Nintendo Co., 855 F.3d 1322, 1327, 122 USPQ2d 1377 (Fed. Cir. 2017) ("Adding one abstract idea (math) to another abstract idea (encoding and decoding) does not render the claim non-abstract").
Applicant’s Specification discloses “An embodiment of the present invention may rely on artificial intelligence, machine learning and neural networks to analyze user spending habits and patterns and provide a self-learning feature” but no further explanation by Applicant’s Specification of how “artificial intelligence, machine learning and neural networks” are used to accomplish the “learning” is described, as explained in the enablement rejection under § 112(a) in the immediately prior Final Office Action. Spec., ¶ [0014]. However, arguendo, even if a computer were to perform the “learning” by “artificial intelligence, machine learning and neural networks,” and undue experimentation by a PHOSITA was not a concern, this high-level of claiming “learning” reads neatly on “use a computer.” MPEP § 2106.05(f).
Therefore, the additional elements are no more than mere instructions to apply the exception using generic computer components and not a practical application. MPEP § 2106.05(f). The additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on the abstract idea. Accordingly, Rep. Claim 1 is directed to an abstract idea. Rep. Claim 1 is not substantially different than Independent Claim 11 and includes all the limitations of Rep. Claim 1. Therefore, Independent Claim 11 is also directed to the same abstract idea. Dependent claims are dependent on one of the Independent Claims and include all the limitations of the Independent Claims. Therefore, all dependent claims are directed to the same abstract idea.
Step 2B:  Rep. Claim 1 fails Step 2B because the additional elements are not integrated into a practical application. As discussed with respect to Step 2A, Prong Two, the additional elements in the claim amount to no more than mere instructions to apply the exception using a generic computer/computer components. The same analysis applies here in Step 2B. Mere instructions to apply an exception using a generic computer/computer components cannot provide an inventive concept.
Claims do not apply the judicial exception in some other meaningful way; a practical application not found in ordered combination of elements.
 
The pending claims in their ordered combination of elements is not inventive. First, the claims are directed to an abstract idea. Second, each claim element represents a currently available generic computer technology, used in the way in which it is commonly used (individually generic). Last, Applicant’s Specification discloses that the ordered combination of elements is not inventive. Spec., ¶ [0033] (steps may be performed in any order); ¶ [0043]–[0048] (any combination of hardware/software).
There is no indication that the combination of elements improves the functioning of a computer or improves any other technology. Thus, taken alone, the additional elements do not amount to significantly more than the above-identified judicial exception (the abstract idea). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. Their collective functions merely provide conventional computer implementation of the abstract idea. Thus, the pending claims are directed to an abstract idea.
Dependent Claims Not Significantly More
 
Dependent claims are dependent on Independent Claims and include all the limitations of the Independent Claims. Therefore, all dependent claims recite the same Abstract Idea. Dependent claims do not contain additional elements that integrate the abstract idea exception into a practical application because the additional elements: (1) are mere instructions to apply the abstract idea exception; and/or (2) further limit the abstract idea exception.
Dependent Claims 2–9, 12–16, and 18–20 all recite “wherein” clauses that further limit the abstract idea of the Independent Claims.
Dependent Claim 17 recites “applying an additional authentication request when the user is not verified.” Examiner interprets this additional limitation as providing the user a second opportunity to authenticate the transaction request should the first transaction request fail. Duplication of parts has no patentable significance unless a new and unexpected result is produced. MPEP § 2144(VI)(B). Here, no new and unexpected result is produced that was not previously produced in the first authentication request. Thus, this limitation has no patentable significance and cannot be significantly more. 
Conclusion

Claims 1–20 are therefore drawn to ineligible subject matter as they are directed to an abstract idea without significantly more. The analysis above applies to all statutory categories of invention. As such, the presentment of Rep. Claim 1 otherwise styled as another statutory category is subject to the same analysis.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1–20 are rejected under 35 U.S.C. 103 as being unpatentable over Tetali et al. (U.S. Pat. Pub. No. 2018/0293579) [“Tetali”] in view of Hammad et al. (U.S. Pat. Pub. No. 2013/0218765) [“Hammad”]

Regarding Claim 1, Tetali discloses
A system for implementing a hierarchy of rule-based security authentication modes, the system comprising: 
(See at least ¶ [0004], The method includes storing, at the authentication computing device, a plurality of user preferences associated with a user account. The user preferences are rule-based preferences that define steps to be taken for authenticating the user for accessing the user account.” The “security authentication modes” are hierarchical (graded or ranked) because the “user may also set the authentication challenge required based on the type of transaction, the location, the amount of the transaction, and/or any combination of the above. ¶ [0017].)

a memory component [Fig. 2, element 212] that stores one or more user authentication profiles [preferences]; and an authentication rule selection engine [Fig. 2, element 212] including a computer processor [Fig. 2, element 216] , coupled to the memory component [Fig. 2, element 212], the computer processor programmed to perform operations, including: 
(See at least Fig. 2, “authentication computer device 212,” and associated text ¶ [0043], where the “authentication computer device 212 is configured to store a plurality of user preferences associated with a user account … [and] determine one or more authentication challenges based, at least in part, on the user preferences.” “[D]atabase server 216 is communicatively coupled to a database 220 that stores … user preferences, authentication challenges, issuer preferences, and merchant preferences.” ¶ [0045]. Preferences are authentication rules. As shown in Fig. 2, the database (memory) 220 and database server 215 are communicatively coupled to the authentication computer device 212. Fig. 4 and associated text ¶ [0053] discloses the components of the server computer 212 and 216, shown in Fig. 2. Fig. 5, step 505 (store plurality of user preferences). “The authentication signatures and account information are stored by the authentication computer device as user preferences in a customer profile.” ¶ [0017].)

receiving from a user, via the computer processor, a selection of a plurality of authentication profiles [customer profiles], the authentication profiles, including one or more security authentication modes [authentication challenge] based on one or more attributes for a potential user transaction request; 
(Examiner interprets authentication mode as “PIN, one-time password, biometric, fingerprint, voice recognition, etc.” Spec., ¶ [0013]. Examiner interprets “authentication profile” as the specific authorization mode that is applied based on transaction details. Spec., ¶ [0013] (“a user may apply a 4 digit PIN for local everyday transactions within a predetermined spend limit, e.g., $100.00,” which is an exemplary authentication profile containing the authentication mode of “a 4 digit PIN”). 
See at least ¶ [0047], “When a customer, such as cardholder 122 shown in FIG. 1, enrolls in the service, the customer provides [selects] one or more authentication signatures (e.g., a pin, password, pattern code, digital signature, and biometric signatures). … The authentication signatures and account information are stored by authentication computer device 212 in database 220 as user preferences in a customer profile. The user preferences are rule-based preferences that define steps to be taken for authenticating the user for accessing the user account. In the example embodiment, the customer may customize his or her profile. For example, the customer may specify a preferred type of authentication challenge. The user may also set the authentication challenge required based on the type of transaction, the location, the amount of the transaction, and/or any combination of the above. The customer may also login to authentication computer device 212 using a client system 214 to update or change the user preferences.” See also, the “second example,” ¶ [0022], requiring “a fingerprint authentication challenge [mode] for payment transactions over a certain amount outside of her home town.”)

[…] 
receiving, via a transaction gateway [interchange network 128], a transaction request associated with a payment instrument from a user at a point-of-sale system; 
(See at least ¶ [0048], where “authentication computer device 212 and client systems 214 may be utilized to process transaction data relating to purchases a cardholder 122 makes utilizing a transaction card processed by interchange network 128 and issued by the associated issuer 130.” “[C]lient systems 214 may include point-of-sale (POS) devices associated with merchant 124 and used for processing payment transactions. ¶ [0048]. Fig. 5, step 510 (receive authentication request).) 

determining, via the computer processor, a plurality of transaction attributes for the transaction request including a transaction location [geolocation of the POS device], a transaction merchant [merchant preferences], a transaction type, a transaction amount, and a wifi network for the transaction request [IP address]; 
(See at least ¶ [0018], “During a payment transaction with a merchant registered for the payment service, the merchant initiates the transaction through a point of sale (POS) device or a website ecommerce gateway that is in communication with the authentication computer device. The merchant provides a customer identifier (name, username, preliminary authentication, or another unique identifier) to the authentication computer device to enable the authentication computer device to identify the corresponding customer profile. The authentication computer device analyzes the initiated transaction
to determine a type of authentication challenge to present to the customer. More specifically, based on the customer's preferences, the merchant's preferences, a risk assessment performed by the authentication computer device, geo location of the POS device, IP address of the computer device accessing the website, preferences of the issuer bank, and/or other analytics, the authentication computer device selects a type of authentication challenge to present the customer.” “The user may also set the authentication challenge required based on the type of transaction, the location, the amount of the transaction, and/or any combination of the above.” ¶ [0017].)

determining, via the computer processor, a security authorization mode for the transaction request based on the plurality of one or more transaction attributes;
(See at least Fig. 5, step 515, “determine one or more authentication challenges based at least in part on user preferences.” “Authentication computer device 212 analyzes the user preferences and the authentication request to determine 515 whether or not an authentication challenge is warranted to respond to the authentication request.” ¶ [0062]. The authorization request contains transaction attributes. ¶ [0035]. “Authentication computer device 212 may base the determination 515 of the one or more authentication challenges on at least one of the geographic location of the payment transaction, the transaction type, transaction volume, and amount of the payment transaction. The user may also set preferences based on transaction type, where transactions for fuel and/or parking do not required further authentication challenges, or where other transaction types, such as food and jewelry, would.” ¶ [0062]. ¶ [0060] (payment transaction mode based on location).)

executing, via the computer processor, an authentication rule for the transaction request; transmitting, via a communication network [NFC], an authentication request via the security authorization mode based on the authentication rule; 
(See at least ¶ [0018], “The authentication challenge is presented to the customer via the POS device [executing]. Once the customer has responded, a challenge response is sent back to the authentication computer device.” “In a payment transaction example, a user preference may be that the user indicates that all charges under $10 do not require an authentication challenge.” ¶ [0060], ¶ [0059] (types of authentication rules). Fig. 5, step 520 (“Transmit the one or more authentication challenges to be presented to a user attempting to access the user account”) and associated text ¶ [0063], where “authentication computer device 212 transmits the one or more authentication challenges to client system 214, such as a mobile computer device, a point of sale device, and a user computer device, where client system 214 is configured to present the one or “more authentication challenges to the user.” :client system 214 is in communication with another computer device, such as through a Near Field Communication (NFC) connection.” ¶ [0063].)

requiring an authorization input from the user responsive to the authentication request; 
(See at least ¶ [0063], where “Client system 214 receives the response(s) from the user and transmits those responses to authentication computer device 212.”)

upon receiving a proper authentication input, verifying the user and proceeding with the transaction request; and 
(See at least Fig. 5, step 525, “determine whether to authenticate the user based on a response to the one or more authentication challenges”. ¶ [0063], [0038]) 

[…]

Tetali does not disclose but Arora discloses 

learning, via the computer processor, the user's spending habits and patterns; 
(See at least ¶ [0081], “The online learning component 124 can receive attributes corresponding to multiple users, user devices, and operating environments included in multiple entity ecosystems. In some examples, the entity ecosystems for each user can be connected to the online learning component 124 via a network. The authentication system 100 can employ the generic learner 116 to learn behaviors and patterns across a
broader user population from other user's exhibiting similar behaviors. In some embodiments, the authentication system 100 need not rely solely on behaviors of a particular user to improve that user's authentication experience. The authentication system 100 can also holistically analyze the behaviors of a broader user population to learn and improve the overall authentication experience over time. To do this, the authentication model implemented by the authentication system 100 can be trained on the user preferences of the entire user population, then fine-tuned after deployment based on user behavior (e.g., trained locally on the user device 104 periodically).” The user specific learner 122 can be used to learn user behavior and patterns based on feedback from user devices for authentication events recorded by the authentication system 100. In other words, user-specific learning can be tied specifically to a particular user's preferences for modifying the authentication rule set 112 to be applicable to that specific user. Certain users may exhibit peculiar behaviors in certain scenarios distinct from other similar users and overall user population.” ¶ [0083]. “the authentication model can be a neural network or can be implemented using neural networks, decision trees, classifiers, or any combination of these.” The behaviors and patterns related authenticating purchase (spending) transactions. ¶ [0031], [0032]. See also Hammad, Fig. 1B and associated text ¶ [0035]; Fig. 7 )

providing, via the computer processor, feedback to the user, including one or more suggestions to update the user selection of the plurality of authentication profiles based on the learned user's spending habit and patterns; 
(See at least ¶ [0083], “The user specific learner 122 can be used to learn user behavior and patterns based on feedback from user devices for authentication events recorded by the authentication system 100…. For example, if the authentication system 100 prompts a user for authentication using a fingerprint authenticator, but the user 106 overrides the prompt and prefers to use iris authentication instead, the authentication system 100 records this event and uses it as a learning event. Learning events can be used to fine tune the authentication model via the user specific learner 122 so that each authentication rule set 112 is specific to each user as deployed on each specific user's device.” “Authentication events” as disclosed by Arora, ¶ [0083], occur contemporaneously with and corresponds to payment (spending) transactions. Arora, ¶¶ [0030], [0031], [0092], [0093]. “As an example of a learning event resulting in rule modification via the user specific learner 122, take the previously discussed example where the authentication system 100 avoids authentication via iris or facial recognition when the user 106 is travelling at high speeds. The user 106 may often travel via tram, such that an accelerometer of the user device 104 determines that the user 106 is travelling at high speeds. The basic heuristically determined rule may request a form of authentication different from facial recognition because the authentication system 100 may assume that the user's travelling speed correlates to inability to successfully or sufficiently capture facial authentication (e.g., user is driving, travel is turbulent, etc.). Over time, the user 106 may continually be faced with requests for an authentication type other than iris or facial authentication while travelling via train at high speeds However, the user 106 may override the rule to provide facial authentication successfully while travelling at high speeds, contrary to the rule. In this example, as a result of the successful facial authentication at high travelling speed, the user specific learner 122 may modify, delete, or reprioritize the rule to accommodate the preferred behavior of the user 106.” (feedback)).
It would have been obvious to one of ordinary skill in the art as of the effective filing date of the claimed invention, to have combined learning the user's spending habits and patterns and providing feedback to the user comprising one of more suggestions to update the user selection of the plurality of authentication profiles as explained in Arora, to the known invention of Tetali, with the motivation to “enhance the security of electronic devices” by “[i]mprov[ing]  method[s] for authenticating [a] user” with “a dynamic learning system for intelligent authentication.” Arora, ¶¶ [0002], [0004].  See also example ¶ [0084] and reasoning for user specific learner 122 to may modify, delete, or reprioritize the rule to accommodate the preferred behavior of the user 106.)

Tetali does not disclose but Hammad discloses 

upon receiving an improper authentication input [unusual and/or suspicious transaction], automatically informing the user of the improper authentication input via one or more modes of electronic communication [Verify Chat], and activating an additional security authentication mode requiring biometric input information [video challenge]. 
(See at least ¶ [0128], “the GSS may detect an unusual and/or suspicious transaction. The GSS may utilize the VerifyChat feature to communicate with the user, and verify the authenticity of the originator of the purchase transaction. In various implementations, the GSS may send electronic mail message, text (SMS) messages, Facebook® messages, Twitter™ tweets, text chat, voice chat, video chat ( e.g., Apple Face Time), and/or the like to communicate with the user. For example, the GSS may initiate a video challenge for the user, e.g., 2121. For example, the user may need to present him/her-self via a video chat, e.g., 2122. In some implementations, a customer service representative, e.g., agent 2124, may manually determine the authenticity of the user using the video of the user. In some implementations, the GSS may utilize face, biometric and/or like recognition ( e.g., using pattern classification techniques) to determine the identity of the user.” Fig. 8A (security protocol escalation levels).)
It would have been obvious to one of ordinary skill in the art as of the effective filing date of the claimed invention, to have combined notifying the user of the improper authentication input, after receiving an improper authentication input, and activating an additional security authentication mode requiring biometric input information as explained in Hammad, to the known invention of Tetali, with the motivation to reduce fraud. Hammad, ¶¶ [0031], [0036], [0048].

Regarding Claim 2, Tetali, Arora, and Hammad disclose
The system of claim 1 and the point-of-sale system as explained above.
Tetali further discloses
wherein the point-of-sale system comprises an in-person transaction.  
(See at least ¶ [0018], “During a payment transaction with a merchant registered for the payment service, the merchant initiates the transaction through a point of sale (POS) device.”)

Regarding Claim 3, Tetali, Arora, and Hammad disclose 
The system of claim 1 and the point-of-sale system as explained above.
Tetali further discloses
wherein the point-of-sale system comprises an online transaction.  
(See at least ¶ [0018], “During a payment transaction with a merchant registered for the payment service, the merchant initiates the transaction through … a website ecommerce gateway that is in communication with the authentication computer device.”)
 
Regarding Claim 4, Tetali, Arora, and Hammad disclose
The system of claim 1 and the authorization rule as explained above.
Tetali further discloses
wherein the authorization rule comprises location data and transaction amount data.  
(See at least ¶ [0047], where “The user may also set the authentication challenge required based on the type of transaction, the location, the amount of the transaction, and/or any combination of the above.”)

Regarding Claim 5, Tetali, Arora, and Hammad disclose
The system of claim 1 and the authorization rule as explained above.
Tetali further discloses
wherein the authorization rule comprises external third-party data relating to at least one fraud event.  
(See at least ¶ [0065] where authentication rules comprise “issuer preferences”, and ¶ [0066], where authorization rules comprise “requester (merchant) preferences” in addition to “user preferences.” The issuer and requester preferences are third party data relating to a fraud event. ¶¶ [0002], [0003] (Issuer and requester authentication rules are related to historical fraud events in an attempt to prevent fraud).

Regarding Claim 6, Tetali, Arora, and Hammad disclose
The system of claim 1 and the authorization request as explained above.
Tetali further discloses
wherein the authentication request comprises a biometric request
(See at least ¶ [0022], describing “a fingerprint authentication challenge for payment transactions over a certain amount outside of her home town.” ¶ [0059].)

Regarding Claim 7, Tetali, Arora, and Hammad disclose
The system of claim 1 and the programmed computer processor as explained above.
Tetali further discloses
wherein the computer processor is further programmed to perform the operation of applying an additional authentication request when the user is not verified.  
(See at least ¶ [0016], describing the “step-up challenge”.)

Regarding Claim 8, Tetali, Arora, and Hammad disclose
The system of claim 1 and a plurality of authentication rules as explained above.
Tetali further discloses
wherein a plurality of authentication rules is associated with each user.
(See at least Abstract, describing “rule-based preferences that define steps to be taken for authenticating the user for accessing the user account.” ¶ [0065] where authentication rules comprise “issuer preferences”, and ¶ [0066], where authorization rules comprise “requester (merchant) preferences.” User preferences are associated with a single user. Alternatively, ¶¶ [0065], [0066] describe the interplay between issuer, requester, and user preferences for authentication, each rule set associated with a user.)


Regarding Claim 9, Tetali, Arora, and Hammad disclose
The system of claim 1 and the authentication mode as explained above.
Arora further discloses
wherein the security authentication mode is determined based at least in part on artificial intelligence.
(See at least ¶ [0029], where “the online learning component can implement artificial neural networks ( e.g., recurrent neural network)”

Regarding Claim 10, Tetali, Arora, and Hammad disclose 
The system of claim 1 and the payment instrument as explained above.
Tetali further discloses
wherein the payment instrument comprises a card product. 
(See at least ¶ [0068] (payment cards).)

Regarding Claim 11, Tetali discloses
A method for implementing a hierarchy of rule-based security authentication modes, the method comprising 
See at least ¶ [0004], The method includes storing, at the authentication computing device, a plurality of user preferences associated with a user account. The user preferences are rule-based preferences that define steps to be taken for authenticating the user for accessing the user account.” The “security authentication modes” are hierarchical (graded or ranked) because the “user may also set the authentication challenge required based on the type of transaction, the location, the amount of the transaction, and/or any combination of the above. ¶ [0017].
The remaining limitations of Claim 11 are not substantively different than those presented in Claim 1 and are therefore, rejected, mutatis mutandis, based on Tetali, Arora, and Hammad for the same rationale presented in Claim 1 supra.

Regarding Claims 12, 13, 14, 15, 16, 17, 18, 19, and 20, Tetali, Arora, and Hammad disclose
The method of claim 11 as explained above. 
The remaining limitations of Claims 12, 13, 14, 15, 16, 17, 18, 19, and 20, are not substantively different than those presented in Claims 2, 3, 4, 5, 6, 7, 8, 9, and 10, respectively, and are therefore, rejected, mutatis mutandis, based on Tetali, Arora, and Hammad for the same rationale presented in Claims 2, 3, 4, 5, 6, 7, 8, 9, and 10, respectively, supra.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES H MILLER whose telephone number is (469)295-9082. The examiner can normally be reached M-F 9:30 - 6:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bennett M Sigmond can be reached on (303) 297-4411. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JAMES H MILLER/Examiner, Art Unit 3694