Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
2.	This Office Action is issued in response to the claims filed on 7/5/2022.
Claims 1-3, 5-12, and 14-20 are pending in this Office Action.

Response to Arguments
3.	a. Acknowledgement is made of specification amendments dated 7/5/2022.
	b. The previous of 35 U.S.C. 112(b), 35 USC § 101, and 35 USC § 103 rejections have been withdrawn in response to claim amendments.

Examiner’s Amendment
4.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this Examiner’s Amendment was given by Ms. Lauren Sherwood, Reg. No. 71720, on 8/8/2022.
By this amendment, the claims have been amended as following:
1.	(Currently Amended) A computer-implemented method for payment authentication, the method comprising: 
receiving, by a payment authentication system, a first device fingerprint from a user device associated with a user having an account with a primary account number, the first device fingerprint being derived from a device attribute of the user device including a unique hardware identifier of a hardware component of the user device and behavioral biometric data derived from a behavioral pattern of the user in using the user device;
generating, by the payment authentication system, a token representing the primary account number;
storing, by the payment authentication system, the first device fingerprint in association with the token and providing the token to the user device, wherein the token is identified by the user device and submitted to a merchant system to make a payment to a merchant;
receiving, by the payment authentication system from a payment processing system, an authentication request indicative of the token and a second device fingerprint generated by a customer device associated with a customer of the merchant, the authentication request being associated with a transaction between the merchant and the customer using the token; 
identifying, by the payment authentication system, the stored first device fingerprint based on the token indicated by the authentication request;
determining, by the payment authentication system, one or more conditions for authentication are satisfied, the one or more conditions including a match between the second device fingerprint and the stored first device fingerprint indicating the customer device is the user device authorized to use the token to make the payment to the merchant to complete the transaction; and
upon determining that the one or more conditions for authentication are satisfied, generating and transmitting, by the payment authentication system, an authentication message to the payment processing system, the authentication message indicating that the transaction has been authenticated so that the token is used to make the payment to the merchant.  

2.	(Currently Amended) The method of claim 1, wherein determining the match between the second device fingerprint and the stored first device fingerprint comprises: 
determining, by the payment authentication system, the second device fingerprint is indicative of the device attribute of the stored first device fingerprint; and 
determining, by the payment authentication system, the second device fingerprint is indicative of behavioral biometric data having at least a threshold degree of similarity with the behavioral biometric data of the stored first device fingerprint.  

3.	(Currently Amended) The method of claim 1, wherein:
the token is further associated with a specified merchant specified by the user device, and	
the one or more conditions for authentication further include a match between the specified merchant and the merchant of the transaction.

4.	(Canceled) 

5.	(Original) The method of claim 1, wherein the behavioral pattern is a pattern in which the user holds or transports the user device.

6.	(Original) The method of claim 5, wherein the behavioral pattern is a traveling pattern of the user device.

7.	(Original) The method of claim 1, wherein the behavioral pattern is a pattern in which the user uses one or more software applications of the user device.

8.	(Original) The method of claim 7, wherein the behavioral pattern is a web browsing history.
 
9.	(Currently Amended) The method of claim 1, further comprising: 
transmitting, by the payment authentication system, the authentication message to an issuer associated with the primary account number or a payment processor of the issuer.

10.	(Currently Amended) The method of claim 1, further comprising: 
transmitting, by the payment authentication system to the user device, a notification indicating that the transaction has been authenticated.

11.	(Currently Amended) A system, the payment authentication system comprising:
a memory storing instructions; and
one or more processors configured to execute the instructions to cause the payment authentication system to perform operations including: 
receiving, from a user device associated with a user, a request to associate a first device fingerprint with a token representing a primary account number and with a specified merchant to which usage of the token is to be limited, the first device fingerprint having been generated by the user device and being derived from a device attribute of the user device including a unique hardware identifier of a hardware component of the user device and behavioral biometric data derived from a behavioral pattern of the user in using the user device; 
generating the token;
storing the first device fingerprint in association with the token and providing the token to the user device, wherein the token is identified by the user device and submitted to a merchant system to make a payment to a merchant;
receiving, from a payment processing system, a transaction authorization request associated with a transaction between the merchant and a customer using the token, the transaction authorization request being derived from the token and a second device fingerprint generated by a customer device associated with the customer; 
determining conditions for authentication are satisfied, the conditions including a match between the second device fingerprint and the first device fingerprint indicating the customer device is the user device authorized to use the token to make the payment to the merchant to complete the transaction, and a match between the specified merchant and the merchant; and
upon determining that the conditions for authentication are satisfied, generating and transmitting an authentication message to the payment processing system, the authentication message indicating that the transaction has been authenticated so that the token is used to make the payment to the merchant.  

12.	(Currently Amended) The payment authentication system of claim 11, wherein determining the match between the second device fingerprint and the first device fingerprint comprises: 
determining the second device fingerprint is indicative of the device attribute of the first device fingerprint; and 
determining the second device fingerprint is indicative of behavioral biometric data having at least a threshold degree of similarity with the behavioral biometric data of the first device fingerprint.  

13.	(Canceled) 

14.	(Currently Amended) The payment authentication system of claim 11, wherein the behavioral pattern is a pattern in which the user holds or transports the user device.

15.	(Currently Amended) The payment authentication system of claim 14, wherein the behavioral pattern is a traveling pattern of the user device.

16.	(Currently Amended) The payment authentication system of claim 11, wherein the behavioral pattern is a pattern in which the user uses one or more software applications of the user device.

17.	(Currently Amended) The payment authentication system of claim 16, wherein the behavioral pattern is a web browsing history.
 
18.	(Currently Amended) The payment authentication system of claim 11, wherein the operations further include: 
transmitting, to the user device, a notification indicating that identity verification has been successfully performed for the transaction.

19.	(Currently Amended) The payment authentication system of claim 11, wherein the transaction authorization request includes encrypted data derived from the token and the second device fingerprint.

20.	(Currently Amended) A non-transitory computer-readable medium storing instructions that, when executed by one or more processors of a user device, cause the user device to perform operations for providing data for payment authentication, the operations including:
generating, by the user device, an original device fingerprint based on a device attribute of the user device and behavioral biometric data, the device attribute including a unique hardware identifier of a hardware component of the user device, the behavioral biometric data being derived from a behavioral pattern of a user in using the user device;
transmitting, by the user device, a token request including the original device fingerprint to a payment authentication system, wherein the original device fingerprint is stored by the payment authentication system in association with a token representing a primary account number of the user that is generated by the payment authentication system responsive to the token request;
receiving, by the user device, the token from the payment authentication system; 
detecting, by the user device, a user operation identifying the token for submission to a merchant system via an electronic commerce application for making a payment to a merchant associated with the merchant system; 
generating, by the user device, a subsequent device fingerprint based on the device attribute of the user device and the behavioral biometric data; and
transmitting, by the user device to the merchant system, the subsequent device fingerprint and the token so that the token is used to make the payment, wherein the subsequent device fingerprint and the token is further received by the payment authentication system for verifying a match of the subsequent device fingerprint and the original device fingerprint to authenticate the payment.


Allowable Subject Matter
5.	Claims 1-3, 5-12, and 14-20 are allowed.

Examiner’s Statement of Reasons for Allowance
6.	The following is an examiner’s statement of reasons for allowance:
	Regarding independent claims 1, 11, and 20:
	a. Tunnell et al. (US 20170039568 A1) discloses generating a secure token for any type of sensitive information that a user may desire to store on a device and securely verify/validate with another party, server, system, or device without disclosing the original sensitive information during the transmission of the secure token (Abstract).
	To create a personalized secure token, certain user-related or personal factors must be used in generating it. Such factors may include a user's location, a merchant name, an electronic device controlled or operated by the user, user biometrics (something you are), behavior-metrics (how you behave), knowledge-metrics (something you know) and/or device electronic-metrics (something you have) (paragraph [0028]).
	b. Praszczalek et al. (US 20210327547 A1) discloses a privacy-enhancing system, method, and non-transitory computer-readable medium for securely identifying or verifying an individual over time without retaining sensitive biometric data (e.g., biometric images or biometric templates) for the purpose of various data-related interactions. The data interactions including but not limited to: accessing, sharing, exchanging, controlling, or processing of personal data or any data related to an individual, entity, or thing (Abstract).
	The method includes 
generating, with a tokenization algorithm of a local partner device, a first biometric token based on the biometrics that are received, 
outputting, with the local partner device, the registration information and the first biometric token, 
receiving, with a local identity server, the registration information and the first biometric token, 
creating, with the local identity server, a data account associated with an individual in a memory, the data account including the registration information and the first biometric token that are received, 
receiving, with the local identity server, a request from the individual or an entity,
 receiving, with the local identity server, a second set of the biometrics of the individual,
generating, with the local identity server and the tokenization algorithm, a second biometric token from the second set of the biometrics of the individual 
identifying, with the local identity server, the individual and the data account by matching the second biometric token that is generated to the first biometric token that is stored in the data account, 
outputting, with the local identity server, a confirmation of an identity of the individual and the registration information in response to identifying the individual and the data account by matching the second biometric token that is generated to the first biometric token that is stored in the data account (paragraphs [0186]-[0187]). 
c. Hu et al. (US 7539644 B2) discloses systems and methods for detecting online fraud. Fraud can be based on customer behavioral information. The system can collect unique identification for a component of a client computer used to purchase items on line. The unique identification can be collected using client software. The system can capture a unique hardware identification (ID) from a client computer and using the unique Hardware ID to detect fraud. Fraud can also be detected by checking IP address nationality. The system's fraud analysis can include collecting payment information and checking the payment information against an address verification system (AVS) to detect fraud; determining fraud based on customer behavioral information; determining fraud by checking if two separate accounts share the same password; collecting unique identification for a component of a client computer used to purchase items on line; determining fraud based on administrative information associated with a customer account; and capturing a unique Internet Protocol (IP) address from a client computer and using the unique IP address to detect fraud (Col. 2, line 41-Col. 3, line 7).
d. Brickell et al. (US 8930274 B1) discloses a payment processing system including an Account Management System, Acquire System, Issuer System, Merchant System and a user device (Fig. 1).  A method for processing payment transactions comprises limited use financial account information and application transaction counters. An account management system creates limited use financial account information, a bundle of public application transaction counters, and a corresponding bundle of private application transaction counters, and transmits the information to a user device for use in a payment transaction. The user device receives a request for payment information from a merchant system and processes the request without accessing a secure element processor on the user device. The user device calculates a security code using the private application counter and a transaction number received from the merchant system. The user device transmits the limited use financial account information, the calculated security code, and one or the bundle of public application transaction counters to the merchant system. The merchant system transmits a payment request to the account management system as the issuer of the limited use financial account information. The account management system determines the validity of the public application transaction counter and looks up the corresponding private application transaction counter using the public application transaction counter. The account management system determines the validity of the security code by recomputing it using the private application transaction counter and the transaction number received from the merchant system. The account management system retrieves the user's financial account information and requests authorization from the issuer of the financial account for the payment transaction (Col.1, line 65-Col.2, line 28).
The prior arts of record fail to either disclose or sufficiently suggest the combination features as claimed and arranged by applicant. Although the above references teach similar aspects of the independent claims, none of these references individually or in reasonable combination discloses all the limitations as claimed in the independent claims and each of these independent claims as a whole is not obvious over these prior arts.  Therefore, independent claims 1, 11, and 20 are allowable over the prior arts of record and dependent claims are allowable by virtue of their dependence on the independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
7.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to THANH T. LE whose telephone number is (571)270-0279.  The examiner can normally be reached on Monday-Thursday 8:00 am - 4:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THANH T LE/           Examiner, Art Unit 2495