DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-20 are pending.

Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.

The claims have been evaluated for patent subject matter eligibility under 35 U.S.C. 101 using the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG).

Claims 1-7:
Step 1
Claims 1-7 are directed to a computer-implemented system (i.e. machine). Therefore, these claims fall within the four statutory categories of invention.

Step 2A Prong One
Claim 1 recites (i.e., sets forth or describes) an abstract idea of access control based upon permissions and outcomes. Specifically, but for the additional elements, Claim 1 under its broadest reasonable interpretation recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas because the claim recites a process that deals with commercial or legal interactions, and also managing personal behavior or relationships or interactions between people. For instance, the claimed granting access to a resource based upon permissions and an outcome of a cryptogram being decrypted is an example of commercial or legal interactions because it involves business relations of resource management. Additionally, the claimed granting access to a resource based upon permissions and an outcome of a cryptogram being decrypted is an example of managing personal behavior or relationships or interactions between people because it involves following rules of permissions and decryption outcomes. More specifically, the following underlined claim elements recite abstract ideas while the non-underlined claim elements recite additional elements according to MPEP 2106.04(a). 
a processor circuit; and 
a memory storing instructions that when executed by the processor circuit, cause the processor circuit to perform the steps of: 
receiving a first request comprising a first account and a resource
receiving a cryptogram from a contactless card
transmitting the cryptogram to an authentication server
receiving, from the authentication server, a result that the authentication server decrypted the cryptogram
receiving, from the authentication server, a permissions vector of the first account, the permissions vector comprising a plurality of entries
determining, based on the permissions vector of the first account, that the first account is permitted access to the resource
granting the first account access to the resource based on the result that the authentication server decrypted the cryptogram and the permissions vector of the first account

Step 2A Prong Two
Claim 1 as a whole, looking at the additional elements individually and in combination, does not integrate the judicial exception into a practical application. First, the non-underlined additional elements above merely serve as a tool to perform the abstract idea. Additionally, regarding the specification and claims, there is no improvement in the functioning of a computer or an improvement to other technology or technical field present, there is no applying or using the judicial exception to effect a particular treatment or prophylaxis for a disease or medical condition present, there is no implementing the judicial exception with or using the judicial exception in conjunction with a particular machine or manufacture that is integral to the claim present, there is no effecting a transformation or reduction of a particular article to a different state or thing present, and there is no applying or using the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment present such that the claim as a whole is more than a drafting effort designed to monopolize the exception. 

Step 2B
The additional elements, taken individually and in combination, do not result in claim 1, as a whole, amounting to significantly more than the judicial exception. As discussed previously with respect to Step 2A, the additional elements merely serve as a tool to perform an abstract idea. Therefore, the claim does not provide an inventive concept, and thus, is not patent eligible.

Dependent Claims
Claims 2-7 have also been analyzed according to the 2019 PEG. However, the subject matter of these claims also fails to recite patent eligible subject matter for the following reasons:
Claim 2 recites the abstract idea of access control based upon permissions and outcomes. In other words, it recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas. Claim 2 recites the additional element of “the memory storing instructions that when executed by the processor circuit, cause the processor circuit to perform the step of … of the application”. However, this additional element fails to recite a practical application or significantly more than the abstract idea because it merely serves as a tool to perform the abstract idea. Claim 2 also recites additional details of the type of data included in the resource. Therefore, it recites additional abstract ideas.
Claim 3 recites the abstract idea of access control based upon permissions and outcomes. In other words, it recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas. Claim 3 recites the additional element of “of the application”. However, this additional element fails to recite a practical application or significantly more than the abstract idea because it merely serves as a tool to perform the abstract idea.
Claim 4 recites the abstract idea of access control based upon permissions and outcomes. In other words, it recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas. Claim 4 recites the additional element of “from a second contactless card associated with the second account … from the second contactless card … to the authentication server … from the authentication server … the authentication server … from the authentication server”. However, this additional element fails to recite a practical application or significantly more than the abstract idea because it merely serves as a tool to perform the abstract idea.
Claim 5 recites the abstract idea of access control based upon permissions and outcomes. In other words, it recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas.
Claim 6 recites the abstract idea of access control based upon permissions and outcomes. In other words, it recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas. Claim 6 recites the additional element of “from the contactless card … to the authentication server … from the authentication server … the authentication server”. However, this additional element fails to recite a practical application or significantly more than the abstract idea because it merely serves as a tool to perform the abstract idea.
Claim 7 recites additional details of the type of data included in the resource and permissions vector. Therefore, it recites additional abstract ideas.

Claims 8-14:
Step 1
Claims 8-14 are directed to a non-transitory computer-readable storage medium (i.e. manufacture). Therefore, these claims fall within the four statutory categories of invention.

Step 2A Prong One
Claim 8 recites (i.e., sets forth or describes) an abstract idea of access control based upon permissions and outcomes. Specifically, but for the additional elements, Claim 8 under its broadest reasonable interpretation recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas because the claim recites a process that deals with commercial or legal interactions, and also managing personal behavior or relationships or interactions between people. For instance, the claimed granting access to a resource based upon permissions and an outcome of a cryptogram being decrypted is an example of commercial or legal interactions because it involves business relations of resource management. Additionally, the claimed granting access to a resource based upon permissions and an outcome of a cryptogram being decrypted is an example of managing personal behavior or relationships or interactions between people because it involves following rules of permissions and decryption outcomes. More specifically, the following underlined claim elements recite abstract ideas while the non-underlined claim elements recite additional elements according to MPEP 2106.04(a). 
receiving a first request comprising a first account and a resource
receiving a cryptogram from a contactless card
transmitting the cryptogram to an authentication server
receiving, from the authentication server, a result that the authentication server decrypted the cryptogram
receiving, from the authentication server, a permissions vector of the first account, the permissions vector comprising a plurality of entries
determining, based on the permissions vector of the first account, that the first account is permitted access to the resource
granting the first account access to the resource based on the result that the authentication server decrypted the cryptogram and the permissions vector of the first account

Step 2A Prong Two
Claim 8 as a whole, looking at the additional elements individually and in combination, does not integrate the judicial exception into a practical application. First, the non-underlined additional elements above merely serve as a tool to perform the abstract idea. Additionally, regarding the specification and claims, there is no improvement in the functioning of a computer or an improvement to other technology or technical field present, there is no applying or using the judicial exception to effect a particular treatment or prophylaxis for a disease or medical condition present, there is no implementing the judicial exception with or using the judicial exception in conjunction with a particular machine or manufacture that is integral to the claim present, there is no effecting a transformation or reduction of a particular article to a different state or thing present, and there is no applying or using the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment present such that the claim as a whole is more than a drafting effort designed to monopolize the exception. 

Step 2B
The additional elements, taken individually and in combination, do not result in claim 8, as a whole, amounting to significantly more than the judicial exception. As discussed previously with respect to Step 2A, the additional elements merely serve as a tool to perform an abstract idea. Therefore, the claim does not provide an inventive concept, and thus, is not patent eligible.

Dependent Claims
Claims 8-14 have also been analyzed according to the 2019 PEG. However, the subject matter of these claims also fails to recite patent eligible subject matter for the following reasons:
Claim 9 recites the abstract idea of access control based upon permissions and outcomes. In other words, it recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas. Claim 9 recites the additional element of “the medium storing computer-readable program code that when executed by the processor causes the processor to perform the step of … of the application”. However, this additional element fails to recite a practical application or significantly more than the abstract idea because it merely serves as a tool to perform the abstract idea. Claim 9 also recites additional details of the type of data included in the resource. Therefore, it recites additional abstract ideas.
Claim 10 recites the abstract idea of access control based upon permissions and outcomes. In other words, it recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas. Claim 10 recites the additional element of “of the application”. However, this additional element fails to recite a practical application or significantly more than the abstract idea because it merely serves as a tool to perform the abstract idea.
Claim 11 recites the abstract idea of access control based upon permissions and outcomes. In other words, it recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas. Claim 11 recites the additional element of “from a second contactless card … from the second contactless card … to the authentication server … from the authentication server … the authentication server … from the authentication server”. However, this additional element fails to recite a practical application or significantly more than the abstract idea because it merely serves as a tool to perform the abstract idea.
Claim 12 recites the abstract idea of access control based upon permissions and outcomes. In other words, it recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas.
Claim 13 recites the abstract idea of access control based upon permissions and outcomes. In other words, it recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas. Claim 13 recites the additional element of “from the contactless card … to the authentication server … from the authentication server … the authentication server … by the application”. However, this additional element fails to recite a practical application or significantly more than the abstract idea because it merely serves as a tool to perform the abstract idea.
Claim 14 recites additional details of the type of data included in the resource and permissions vector. Therefore, it recites additional abstract ideas.

Claims 15-20:
Step 1
Claims 15-20 are directed to a computer-implemented method (i.e. process). Therefore, these claims fall within the four statutory categories of invention.

Step 2A Prong One
Claim 15 recites (i.e., sets forth or describes) an abstract idea of access control based upon permissions and outcomes. Specifically, but for the additional elements, Claim 15 under its broadest reasonable interpretation recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas because the claim recites a process that deals with commercial or legal interactions, and also managing personal behavior or relationships or interactions between people. For instance, the claimed granting access to a resource based upon permissions and an outcome of a cryptogram being decrypted is an example of commercial or legal interactions because it involves business relations of resource management. Additionally, the claimed granting access to a resource based upon permissions and an outcome of a cryptogram being decrypted is an example of managing personal behavior or relationships or interactions between people because it involves following rules of permissions and decryption outcomes. More specifically, the following underlined claim elements recite abstract ideas while the non-underlined claim elements recite additional elements according to MPEP 2106.04(a). 
receiving, by an application executing on a computer processor, a first request comprising a first account and a resource
receiving, by the application, a cryptogram from a contactless card
transmitting, by the application, the cryptogram to an authentication server
receiving, by the application from the authentication server, a result that the authentication server decrypted the cryptogram
receiving, by the application from the authentication server, a permissions vector of the first account, the permissions vector comprising a plurality of entries
determining, by the application based on the permissions vector of the first account, that the first account is permitted access to the resource
granting, by the application, the first account access to the resource based on the result that the authentication server decrypted the cryptogram and the permissions vector of the first account

Step 2A Prong Two
Claim 15 as a whole, looking at the additional elements individually and in combination, does not integrate the judicial exception into a practical application. First, the non-underlined additional elements above merely serve as a tool to perform the abstract idea. Additionally, regarding the specification and claims, there is no improvement in the functioning of a computer or an improvement to other technology or technical field present, there is no applying or using the judicial exception to effect a particular treatment or prophylaxis for a disease or medical condition present, there is no implementing the judicial exception with or using the judicial exception in conjunction with a particular machine or manufacture that is integral to the claim present, there is no effecting a transformation or reduction of a particular article to a different state or thing present, and there is no applying or using the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment present such that the claim as a whole is more than a drafting effort designed to monopolize the exception. 

Step 2B
The additional elements, taken individually and in combination, do not result in claim 15, as a whole, amounting to significantly more than the judicial exception. As discussed previously with respect to Step 2A, the additional elements merely serve as a tool to perform an abstract idea. Therefore, the claim does not provide an inventive concept, and thus, is not patent eligible.

Dependent Claims
Claims 16-20 have also been analyzed according to the 2019 PEG. However, the subject matter of these claims also fails to recite patent eligible subject matter for the following reasons:
Claim 16 recites the abstract idea of access control based upon permissions and outcomes. In other words, it recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas. Claim 16 recites the additional element of “by the application … of the second application”. However, this additional element fails to recite a practical application or significantly more than the abstract idea because it merely serves as a tool to perform the abstract idea. Claim 16 also recites additional details of the type of data included in the resource. Therefore, it recites additional abstract ideas.
Claim 17 recites the abstract idea of access control based upon permissions and outcomes. In other words, it recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas. Claim 17 recites the additional element of “by the application … of the second application”. However, this additional element fails to recite a practical application or significantly more than the abstract idea because it merely serves as a tool to perform the abstract idea.
Claim 18 recites the abstract idea of access control based upon permissions and outcomes. In other words, it recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas. Claim 18 recites the additional element of “by the application … by the application … from a second contactless card associated with the second account … by the application … from the second contactless card … by the application … to the authentication server … by the application from the authentication server … the authentication server … by the application from the authentication server … by the application”. However, this additional element fails to recite a practical application or significantly more than the abstract idea because it merely serves as a tool to perform the abstract idea.
Claim 19 recites the abstract idea of access control based upon permissions and outcomes. In other words, it recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas. Claim 19 recites the additional element of “by the application … by the application … by the application”. However, this additional element fails to recite a practical application or significantly more than the abstract idea because it merely serves as a tool to perform the abstract idea.
Claim 20 recites additional details of the type of data included in the resource and permissions vector. Therefore, it recites additional abstract ideas.



Allowable Subject Matter
Claims 1-20 would be allowable if rewritten or amended to overcome the rejection(s) under 35 U.S.C. 101 set forth in this Office action. The closest prior art of record is US 2020/0286071 A1 to Oepping (hereinafter “Oepping”). Oepping teaches:
a processor circuit (Fig.2 item 120, Fig.3 item 120; para 47)
a memory storing instructions that when executed by the processor circuit, cause the processor circuit to perform the steps of (Fig.2 item 122; paras 47, 84-85)
receiving a cryptogram from a contactless card (Fig.5 item 212; paras 41-44, 66-67)
transmitting the cryptogram to an authentication server (Fig.5 item 214; paras 44, 67)
US 2015/0332266 A1 to Friedlander et al. (hereinafter “Friedlander”) is also of interest. Friedlander teaches: 
receiving a first request comprising a first account and a resource (paras 25-26, 70)
receiving, from the authentication server, a permissions vector of the first account, the permissions vector comprising a plurality of entries (paras 32, 39-41)
determining, based on the permissions vector of the first account, that the first account is permitted access to the resource (paras 26, 32, 72, 78-81, 86-87, 92)
Therefore, the prior art does not teach, neither singly nor in combination the following:
receiving, from the authentication server, a result that the authentication server decrypted the cryptogram
granting the first account access to the resource based on the result that the authentication server decrypted the cryptogram and the permissions vector of the first account

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ari Shahabi whose telephone number is (571)272-2565. The examiner can normally be reached M-F: 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John W Hayes can be reached on 571-272-6708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Ari Shahabi/Examiner, Art Unit 3685