Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of the Application
Claims 1-20 have been examined in this application.
The filling date of this application number recited above is 21 June 2019. Domestic Benefit / National Stage priority has been claimed for Provisional Applications 62/688528, 62/688529, 62/688546, and 62/688532 in the Application Data Sheet, therefore the examination will be undertaken in 22 June 2018 as the priority date, for applicable claims.
No additional information disclosure statement (IDS) has been filed to date.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1, 14, and 20 (and claims 2-13 and 15-19 due to dependency) are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
The claims recites generate an authentication model specific to a particular issuer bank associated with the ACS, the authentication model generated by comparing i) transactions previously authenticated by the ACS associated with that issuer bank with ii) historical data for all transactions previously processed by a payment processing network. The claims recite this limitation much narrower than what is recited in the Specification [0060] and [00153], which disclose “the authentication platform analyzes transactions that are authenticated by the ACS and compares these transactions with historical data to generate a risk model for each issuer”. There is no further clarification or explanation that the “historical data” is “for all transactions previously processed by a payment network”, but merely recites that the comparison is between the transactions authenticated by the ACS with historical data. Also, the Specification recites [0031] “Thus, for authentication purposes, the authentication platform is capable of leveraging large volumes of historical transaction data for all transactions previously processed by the payment processing network (as compared to the relatively small number of transactions processed by a particular ACS)”. However, this disclosure merely recites that the authentication platform is capable of processing large amounts of data, and does not explicitly teach that the authentication model is generated by comparing with “historical data for all transactions previously processed by a payment processing network”.
Additionally, Specification [0060] and [00153] recites “… to generate a risk model for each issuer bank”, which can be interpreted as one risk model is generated that all issuer banks can use. The claim limitation “generate an authentication model specific to a particular issuer bank” recites narrower claim language, wherein generating a risk model “for each issuer bank” cannot equate that the risk model is generated specifically to one particular issuer bank, but merely teaches that each issuer bank can utilize the generated risk model.
Therefore, the claims recite new matter which fails to comply with the written description requirement, and clarification is required. For the purposes of compact prosecution, in view of Specification [0060] and [00153], the claim limitation has been interpreted as “generate an authentication model for an issuer bank associated with the ACS, the authentication model generated by comparing i) transactions previously authenticated by the ACS with ii) historical data”.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. The Claims are directed to an abstract idea, Methods of Organizing Human Activity. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional computer elements, which are recited at a high level of generality, provide conventional computer functions that do not add meaningful limits to practicing the abstract idea.
As per Claims 1, 14 and 20, the claim recites “a method for authenticating a user, comprising:
generating, an authentication model specific to a particular issuer bank, the authentication model generated by comparing i) transactions previously authenticated by an access control server (ACS) associated with that issuer bank with ii) historical data for all transactions previously processed by a payment processing network;
	receiving, from a merchant, an authentication request message for a current transaction, the authentication request message including authentication data;
extracting the authentication data from the authentication request message;
determining if the ACS is available to process the transaction;
if the ACS is offline or otherwise unavailable, the method comprises:
	generating, based at least in part on the extracted authentication data, risk- based authentication (RBA) result data including a risk score, the RBA result data generated using the authentication model specific to the issuer bank associated with the ACS;
generating an authentication decision based on the RBA result data;
embedding the authentication decision in an authentication response message; and
transmitting the authentication response message with the embedded authentication decision to the merchant, prompting the merchant to determine whether or not to proceed with the current transaction based on the embedded authentication decision that was generated using the authentication model.”
The limitation of the claims recited above, under its broadest reasonable interpretation, is directed to an organized human activity by performing fundamental economic principles or practices and/or commercial interaction. The method recited above is a process of generating an authentication model, performing authentication, and providing the authentication decision to the merchant, with the goal of reducing fraud during the transaction process as disclosed by Specification [0054], [0061], [0064], and so forth, wherein the method of authentication involved in transaction processing and risk mitigation is a fundamental economic principle or practice. The process of performing authentication on behalf of another system (e.g. ACS), wherein the system is associated with a particular issuer bank, is simply performing authentication if the other person from the bank is unavailable to process the authentication, which involves an interaction between a merchant and an issuer bank to receive request for authentication, authenticate the transaction, and send the authentication response, which is a commercial interaction. Fundamental economic principle or practice and/or commercial interactions are both certain methods of organized human activity. Therefore, the claims are directed to an abstract idea.
This judicial exception is not integrated into practical application. In particular, the claims recite an additional element of “memory device”, “processor”, “non-transitory computer-readable media”, and “merchant computing device” to perform the method recited above by instructing the abstract idea to be performed “by” these generic computer components. As disclosed by the Specifications, [0066] regarding memory device (i.e. computer system), [0177] regarding non-transitory computer-readable media, and [0067] regarding processor, the additional elements are generic computer components being merely applied to perform the abstract idea by instructing generic functions, such as: receive data, extract data, generate data, compare data, embed data, and transmit data. These general computer components are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer system, which is not indicative of integration into a practical application; see MPEP 2106.05(f). 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, when analyzed as a whole, considering the additional elements individually and/or as an ordered combination, the additional element of using a computer based system is recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer system. Mere instructions to apply an exception using a generic computer system is not indicative of an inventive concept. The claims are not patent eligible.
Regarding dependent claims, they are still directed to an abstract idea without significantly more.
Claim 2 recites “wherein the RBA result data further include at least one reason code that indicates at least one factor that influenced the generated risk score.” The claim provides further clarification regarding the data (e.g. RBA result data includes certain type of data), by which the data is merely being used by the generic computer components to implement the abstract idea, which is not indicative of integration into a practical application, as similarly discussed above with its parent claim. Additionally, mere data gathering and/or data manipulation is adding insignificant extra-solution activity to the judicial exception, which is also not indicative of integration into a practical application; see MPEP 2106.05(g).
Claim 3 recites “wherein to determine if the ACS is available, the at least one processor programmed to transmit the authentication request message to the ACS.” The claim provides further process of determining the ACS availability and transmitting the message. As similarly discussed above with its parent claim, the recited process is merely using the generic computer components as a tool to perform the abstract idea, which is not indicative of integration into a practical application.
Claim 4 recites “wherein the at least one processor programmed to: wait a predetermined period of time for a response from the ACS; and determine that the ACS is unavailable if no response is received after the predetermined period of time.” The claim provides further process of waiting a period of time and determining ACS availability based on the time. As similarly discussed above with its parent claim, the recited process is merely using the generic computer components as a tool to perform the abstract idea, which is not indicative of integration into a practical application.
Claim 5 recites “wherein the at least one processor programmed to receive a response from the ACS, wherein the response indicates that the ACS is unable to perform authentication.” The claim provides further clarification regarding the data (e.g. response indicating certain data), by which the data is merely being used by the generic computer components to implement the abstract idea, which is not indicative of integration into a practical application, as similarly discussed above with its parent claim. Additionally, mere data gathering and/or data manipulation is adding insignificant extra-solution activity to the judicial exception, which is also not indicative of integration into a practical application; see MPEP 2106.05(g).
Claim 6 recites “wherein the response indicates at least one of an online user associated with the current transaction is not enrolled with the ACS, the ACS is currently unavailable, or the ACS was unable to authenticate the online user.” The claim provides further clarification regarding the data (e.g. response indicating certain data), by which the data is merely being used by the generic computer components to implement the abstract idea, which is not indicative of integration into a practical application, as similarly discussed above with its parent claim. Additionally, mere data gathering and/or data manipulation is adding insignificant extra-solution activity to the judicial exception, which is also not indicative of integration into a practical application; see MPEP 2106.05(g).
Claim 7 recites “wherein to determine if the ACS is available, the at least one processor programmed to determine that an online user associated with the current transaction is not associated with the ACS based on the extracted authentication data.” The claim provides further clarification regarding the data (e.g. determining based on extracted data), by which the data is merely being used by the generic computer components to implement the abstract idea, which is not indicative of integration into a practical application, as similarly discussed above with its parent claim. Additionally, mere data gathering and/or data manipulation is adding insignificant extra-solution activity to the judicial exception, which is also not indicative of integration into a practical application; see MPEP 2106.05(g).
Claim 8 recites “wherein the at least one processor is programmed to generate an authentication decision based on the RBA result data.” The claim provides further process of generating data. As similarly discussed above with its parent claim, the recited process is merely using the generic computer components as a tool to perform the abstract idea, which is not indicative of integration into a practical application.
Claim 9 recites “wherein to generate RBA result data, the at least one processor is programmed to determine a risk level based on the RBA result data.” The claim provides further process of determining data. As similarly discussed above with its parent claim, the recited process is merely using the generic computer components as a tool to perform the abstract idea, which is not indicative of integration into a practical application.
Claim 10 recites “wherein to transmit an authentication response message, the at least one processor is programmed to embed an indicator in the authentication response message indicating that the current transaction is fully authenticated if the risk level is low.” The claim provides further clarification regarding the data (e.g. embedding an indicator to the message), by which the data is merely being used by the generic computer components to implement the abstract idea, which is not indicative of integration into a practical application, as similarly discussed above with its parent claim. Additionally, mere data gathering and/or data manipulation is adding insignificant extra-solution activity to the judicial exception, which is also not indicative of integration into a practical application; see MPEP 2106.05(g).
Claim 11 recites “wherein to transmit an authentication response message, the at least one processor is programmed to embed one or more indicators in the authentication response message indicating that the current transaction is a merchant only transaction and that authentication was attempted if the risk level is not low.” The claim provides further clarification regarding the data (e.g. embedding an indicator to the message), by which the data is merely being used by the generic computer components to implement the abstract idea, which is not indicative of integration into a practical application, as similarly discussed above with its parent claim. Additionally, mere data gathering and/or data manipulation is adding insignificant extra-solution activity to the judicial exception, which is also not indicative of integration into a practical application; see MPEP 2106.05(g).
Claim 12 recites “wherein to generate RBA result data, the at least one processor is programmed to: determine whether the authentication request message complies with 3DS 2 Protocol or subsequent 3DS Protocol versions; and bypass determining if the ACS is available if the authentication request message does not comply.” The claim provides further process of determining data compliance. As similarly discussed above with its parent claim, the recited process is merely using the generic computer components as a tool to perform the abstract idea, which is not indicative of integration into a practical application.
Claim 13 recites “wherein to generate RBA result data, the at least one processor is programmed to compare the authentication data to at least one long term variable and at least one short term variable, wherein the at least one long term variable includes historical authentication data and historical authorization data.” The claim provides further process of comparing data. As similarly discussed above with its parent claim, the recited process is merely using the generic computer components as a tool to perform the abstract idea, which is not indicative of integration into a practical application.
Claim 15 recites “wherein determining if the ACS is available further comprises: transmitting the authentication request message to the ACS; waiting a predetermined period of time for a response from the ACS; and determining that the ACS is unavailable if no response is received after the predetermined period of time.” The claim provides further process of waiting a period of time and determining ACS availability based on the time. As similarly discussed above with its parent claim, the recited process is merely using the generic computer components as a tool to perform the abstract idea, which is not indicative of integration into a practical application.
Claim 16 recites “further comprising receiving a response from the ACS, wherein the response indicates at least one of the online user is not enrolled with the ACS, the ACS is currently unavailable, or the ACS was unable to authenticate the online user.” The claim provides further clarification regarding the data (e.g. response indicates certain type of data), by which the data is merely being used by the generic computer components to implement the abstract idea, which is not indicative of integration into a practical application, as similarly discussed above with its parent claim. Additionally, mere data gathering and/or data manipulation is adding insignificant extra-solution activity to the judicial exception, which is also not indicative of integration into a practical application; see MPEP 2106.05(g).
Claim 17 recites “wherein determining if the ACS is available further comprises determining that the online user is not associated with the ACS based on the extracted authentication data.” The claim provides further clarification regarding the data (e.g. determining based on extracted data), by which the data is merely being used by the generic computer components to implement the abstract idea, which is not indicative of integration into a practical application, as similarly discussed above with its parent claim. Additionally, mere data gathering and/or data manipulation is adding insignificant extra-solution activity to the judicial exception, which is also not indicative of integration into a practical application; see MPEP 2106.05(g).
Claim 18 recites “wherein generating RBA result data further comprises: determining a risk level based on the RBA result data; if the risk level is low, embedding an indicator in the authentication response message indicating that the current transaction is fully authenticated; and if the risk level is not low, embedding one or more indicators in the authentication response message indicating that the current transaction is a merchant only transaction and that authentication was attempted.” The claim provides further clarification regarding the data (e.g. embedding an indicator to the message), by which the data is merely being used by the generic computer components to implement the abstract idea, which is not indicative of integration into a practical application, as similarly discussed above with its parent claim. Additionally, mere data gathering and/or data manipulation is adding insignificant extra-solution activity to the judicial exception, which is also not indicative of integration into a practical application; see MPEP 2106.05(g).
Claim 19 recites “wherein generating RBA result data further comprises: determining whether the authentication request message complies with 3DS 2 Protocol or subsequent 3DS Protocol versions; and bypassing determining if the ACS is available if the authentication request message does not comply.” The claim provides further process of determining data compliance. As similarly discussed above with its parent claim, the recited process is merely using the generic computer components as a tool to perform the abstract idea, which is not indicative of integration into a practical application.
	These additional steps of each claims fail to remedy the deficiencies of their parent claim above because they are merely further limiting the rules used to conduct the previously recited abstract idea, and are therefore rejected for at least the same rationale as applied to their parent claim above.
	Claims 2-13 and 15-19, when analyzed as a whole, considering the additional elements individually and/or as an ordered combination, are held to be patent ineligible under 35 U.S.C. 101 because the additional recited limitations fail to establish that the claims are sufficient to integrate into a practical application and do not amount to significantly more than the judicial exception. Similarly to the independent claims, each claim recites using a generic computer component to perform the abstract idea as mentioned above. Therefore, prong 2 and step 2B analysis are similar to above and these claims are not eligible.
Therefore, Claims 1-20 are not drawn to eligible subject matter as they are directed to an abstract idea without significantly more.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 3, 7-11, 13-14, 17-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dominguez (U.S. 2011/0196791), in view of Weller et al. (U.S. 2010/0114776), in further view of Kowalchyk et al. (U.S. 8020763 B1).

As per Claims 1, 14, and 20, Dominguez discloses an authentication platform for authenticating an online user, the authentication platform comprising:
a memory device; and at least one processor coupled to the memory device, the at least one processor programmed to (See Figure 5 and Figure 8 disclosing the hardware components, (i.e. processor, memory, computer readable medium, etc.) of the "Risk Management Engine" which is [0071] "configured to execute a method or process to identify fraudulent payment transactions and to prevent future fraudulent transactions, in accordance with some embodiments of the present invention"):
generate an authentication model for an issuer bank, the authentication model generated by comparing i) transactions previously authenticated by an access control server (ACS) associated with that issuer bank with ii) historical data ([0051] “To address these and other sources of fraud, embodiments of the present invention may utilize the data or records stored in the AHS and/or the Directory Server (DS), along with other relevant data to: (1) process data acquired from prior transactions and authentication operations to determine rules or indicia that may be used to identify fraudulent or potentially fraudulent transactions or accounts that were used in previous transactions ... Note that such rules or indicia may be developed using any suitable analysis or data processing methods, functions, or operations. Such analysis or data processing methods, functions, or operations include, but are not limited to pattern matching, neural network analysis, statistical analysis, linear regression models, mathematical modeling, etc.” which teaches of comparing data (e.g. pattern matching) utilizing different sets of data (e.g. data acquired from prior transactions and authentication operations), which is further disclosed [0052] “To develop such rules or indicia, embodiments of the present invention may access one or more sets of relevant transaction and consumer data. For example, the AHS (as well as other sources within a payment processing network) may contain historical data upon which can provide the basis for models that are predictive of future fraud”. The AHS stores data received from the ACS (e.g. transactions previously authenticated by the ACS), as disclosed [0030] “As used herein, in some embodiments, an "AHS" can refer to an authentication history server. An AHS is a server which can receive and archive the result of authentication attempts in an authentication system. An AHS may record both successful and unsuccessful authentication attempts ... The data stored by the AHS can later be analyzed for various purposes” and [0175] “Whether or not authentication was successful, the ACS sends a copy of the Payer Authentication Response, plus related data, to the Authentication History Server. The server serves as the database of record”. See also [0055] “the AHS transaction authentication records, related transaction data, and independent confirmation of fraudulent activity in previous transactions or accounts can be analyzed to identify characteristics or indicia of fraudulent activities found in the fraudulent transactions and accounts--the characteristics or indicia can then be used to develop a model or set of rules to assist in "predicting" the likelihood that a future proposed transaction is fraudulent--such a prediction can be used ... by an issuer to decline a transaction authorization request for the consumer's account” which teaches the risk model being used by an issuer bank);
receive … an authentication request message for a current transaction, the authentication request message including authentication data (See Figure 7 - Block 510 wherein [0065] "If such authentication data is available, then the Directory Server provides transaction data (and if applicable, other relevant information) to the Risk Management Engine (depicted as element 314 of FIG. 4 and element 702 of FIG. 5) which is requested to perform a fraud assessment for the payment account involved in the payment transaction (stage 510)" wherein [0063] "an evaluation of the likelihood of fraud associated with a proposed payment transaction may be performed by Risk Assessment Engine 707 in response to a Transaction Authentication Inquiry Message 714");
extract the authentication data from the authentication request message (See Figure 7 - Block 512 wherein [0066] "The Risk Management Engine processes the data regarding the transaction and payment account to determine the risk of fraud associated with the transaction (stage 512)");

Dominguez may not explicitly disclose, but Weller discloses the following:
receive, from a merchant computing device, an authentication request message for a current transaction, the authentication request message including authentication data ([0142] “At step 124, the merchant 1020 sends a PAReq to the cardholder 1010. The cardholder 1010 sends the PAReq to the TRS/Online C-R 1040, and the TRS/Online C-R 1040 can then send the PAReq to the ACS 1050”);
determine if the ACS is available to process the transaction ([0143] "At step 125, the ACS 1050 is unable to authenticate the cardholder 1010 and creates an authentication request" wherein the ACS determined it is unable to process the transaction received from the PAReq in step 124);
if the ACS is offline or otherwise unavailable:
generate, based at least in part on the extracted authentication data, risk-based authentication (RBA) result data including a risk score, the RBA result data generated using the authentication model specific to the issuer bank associated with the ACS ([0144] “At step 126, the TRS/Online C-R 1040 conducts challenge-response authentication for the transaction. The TRS/Online C-R 1040 may determine the risk-level of the transaction. The TRS/Online C-R 1040 may then present a question if the transaction is a high-risk transaction. Alternatively, all transactions may be presented a question. The TRS/Online C-R 1040 can then validate the response received from the cardholder 1010”. For using the authentication model, see [0168] “As explained above, in some embodiments of invention an issuer or other party can receive an authentication request (PAReq) from a merchant, and it can base its authentication decision according to level of risk at the time the transaction occurs. The risk level can be determined using a risk model that assesses several characteristics”, wherein [0167-0172] discloses of the “risk levels” or “risk scores” being generated for the response message); 
generate an authentication decision based on the RBA result data ([0146] “At step 127, a PARes is generated based on the response of the cardholder 1010 to the challenge by the TRS/Online C-R 1040” wherein [0170] “In embodiments of the invention, the issuer authenticates the cardholder using a risk assessment tool (e.g., the TRS/Online C-R described above) and sends the appropriate response back to the merchant (e.g. pass, fail, passive authentication, attempt or unavailable)”);
embed the authentication decision in an authentication response message ([0170] “In embodiments of the invention, the issuer authenticates the cardholder using a risk assessment tool (e.g., the TRS/Online C-R described above) and sends the appropriate response back to the merchant (e.g. pass, fail, passive authentication, attempt or unavailable)”); and
transmit the authentication response message with the embedded authentication decision to the merchant computing device … ([0145] “At step 127, a PARes is generated based on the response of the cardholder 1010 to the challenge by the TRS/Online C-R 1040. The PARes can then be sent to the merchant 1020 via the cardholder 1010” and see also [0170] “In embodiments of the invention, the issuer authenticates the cardholder using a risk assessment tool (e.g., the TRS/Online C-R described above) and sends the appropriate response back to the merchant (e.g. pass, fail, passive authentication, attempt or unavailable)”).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize determining ACS availability and performing authentication on behalf of the ACS as in Weller in the system executing the method of Dominguez with the motivation of offering to provide [0006] "better ways to authenticate consumers" as taught by Weller over that of Dominguez.

Although Weller teaches of transmitting the authentication response message to the merchant device, the prior art does not explicitly disclose in regards to prompting the merchant device whether or not to proceed with the current transaction based on the risk assessment. However, Kowalchyk teaches:
transmit the authentication response message with the embedded authentication decision to the merchant computing device, prompting the merchant computing device to determine whether or not to proceed with the current transaction based on the embedded authentication decision that was generated using the authentication model ([Col 11 Lines 4-13] “At stage 235, the retrieved or generated risk indicator 138 is transmitted from the payment processor 130 to the mobile device 150. The risk indicator 138 may be sent to the mobile device 150 in different ways including via a POS terminal, as a text message, e.g., a SMS message, on-line or in the mobile payment application 152. At stage 240, the risk indicator 138 is displayed or otherwise communicated to the merchant 120 and represents the risk associated with accepting payment from the consumer 120 using the transaction card 140 and the mobile device 150” wherein the merchant mobile device being prompted to proceed with the transaction is disclosed [Col 11 Lines 27-41] “According to one embodiment, with further reference to FIGS. 4A-B, the risk indicator 138 is a binary indicator 300 such as a Yes/No indicator (as in FIG. 4A) or an Accept/Reject indicator (as shown in FIG. 4B). These indicators indicate, based on the data utilized to generate the risk indicator 138 (described in further detail below), the merchant 110 can or should proceed with accepting payment using the transaction card 140 and the mobile device 150 if the risk level is sufficiently low, or whether the risk level is too high such that the merchant 110 should reject or decline the transaction card 140 and request alternative payment. An intermediate indicator (e.g., "proceed at your discretion") or a non-determinate indicator ("risk indicator not available") may also be displayed to the merchant 110 if there is not sufficient information about the consumer 120 or transaction card 140”. For clarification regarding the mobile device 150 which belongs to the merchant 110, see [Col 8 Lines 25-26] “With the mobile device 150, the merchant 110 can accept payment at different geographic locations” and also [Col 8 Lines 43-47] “As another example, a merchant 110 may be traveling while selling certain goods and accepts in-person payment from the consumer 120 using a mobile device 150. Thus, a merchant 110 who utilizes a mobile device 150 for payment is not restricted to operating from a retail establishment”).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize prompting the merchant device regarding the current transaction based on the risk assessment as in Kowalchyk in the system executing the method of Weller with the motivation of offering [Col 1 Lines 7-50] to reduce fraudulent activity and allow the merchant to have the option to recourse in the event of fraudulent transactions as taught by Kowalchyk over that of Weller.

As per Claim 3, Dominguez may not explicitly disclose, but Weller discloses the authentication platform of Claim 1, wherein to determine if the ACS is available, the at least one processor programmed to transmit the authentication request message to the ACS (Figure 10 - step 124 sends a PAReq message to the ACS as disclosed [0142] "The cardholder 1010 sends the PAReq to the TRS/Online C-R 1040, and the TRS/Online C-R 1040 can then send the PAReq to the ACS 1050" which in step 125 the ACS is determined to be unavailable).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize determining ACS availability as in Weller in the system executing the method of Dominguez with the motivation of offering to provide [0006] "better ways to authenticate consumers" as taught by Weller over that of Dominguez.

As per Claims 7 and 17, Dominguez may not explicitly disclose, but Weller discloses the authentication platform of Claim 1 and the method of Claim 14, wherein to determine if the ACS is available, the at least one processor programmed to determine that an online user associated with the current transaction is not associated with the ACS based on the extracted authentication data ([0051] "... the directory server 1030 could then forward the VEReq to an access control server (ACS) 1050 associated with the card issuer's authentication service. The ACS 1050 could then determine whether the card information provided in the VEReq can be authenticated. Card information may not be able to be authenticated by the ACS 1050 if, for example, the card information does not include a valid electronic commerce card number, or if there is no authentication information, such as a password or other identifying information, associated with the electronic commerce card number" wherein [0053] discloses that this step of authenticating whether the online user's card information is associated to the issuer's ACS is processed by TRS/Online C-R 1040).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize determining ACS availability as in Weller in the system executing the method of Dominguez with the motivation of offering to provide [0006] "better ways to authenticate consumers" as taught by Weller over that of Dominguez.

As per Claim 8, Dominguez discloses the authentication platform of Claim 1, wherein the at least one processor is programmed to generate an authentication decision based on the RBA result data (Figure 7 - step 518 the RME generates a result to indicate either the transaction is not fraudulent or fraudulent as disclosed in [0066-0070]).

As per Claim 9, Dominguez discloses the authentication platform of Claim 1, wherein to generate RBA result data, the at least one processor is programmed to determine a risk level based on the RBA result data ([0061] "The rules stored in Rule Base 706 are used by Risk Assessment Engine 707 to evaluate whether a proposed transaction is likely to be fraudulent (i.e., whether there is an acceptable or an unacceptable level of risk that the transaction is fraudulent)").

As per Claim 10, Dominguez may not explicitly disclose, but Weller discloses the authentication platform of Claim 9, wherein to transmit an authentication response message, the at least one processor is programmed to embed an indicator in the authentication response message indicating that the current transaction is fully authenticated if the risk level is low ([0169] "The risk levels may alternatively be referred to as risk scores. For example, the levels of risk may be defined as the follows: "Low risk transactions" are passively authenticated; in the majority of cases, the cardholder is not cognizant of the authentication process" as disclosed in Table 1 - Passive Authentication means the transaction is fully authenticated since enough information was provided for authentication).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize a risk level indicator in the authentication response message as in Weller in the system executing the method of Dominguez with the motivation of offering to provide [0006] "better ways to authenticate consumers" as taught by Weller over that of Dominguez.

As per Claim 11, Dominguez may not explicitly disclose, but Weller discloses the authentication platform of Claim 9, wherein to transmit an authentication response message, the at least one processor is programmed to embed one or more indicators in the authentication response message indicating that the current transaction is a merchant only transaction and that authentication was attempted if the risk level is not low ([0169] also discloses of "Medium-high risk transactions" and "very high risk transactions", which the authentication response sent to the merchant indicates "pass, fail, passive authentication, attempt or unavailable" in regards to the risk levels, further discussed in [0170] regarding challenge request for risk scores in medium to high range. As recited in the Specifications [00152] ""merchant only" transactions are more risky transactions" therefore the "merchant only" indication has been interpreted as a "risky" transaction).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize a risk level indicator in the authentication response message as in Weller in the system executing the method of Dominguez with the motivation of offering to provide [0006] "better ways to authenticate consumers" as taught by Weller over that of Dominguez.

As per Claim 13, Dominguez discloses the authentication platform of Claim 1, wherein to generate RBA result data, the at least one processor is programmed to compare the authentication data to at least one long term variable and at least one short term variable, wherein the at least one long term variable includes historical authentication data and historical authorization data ([0052] "The inventive Risk Management Engine (RME) can utilize the outputs of those models during the authentication step or in the development of a rule base that will be used to detect fraudulent or potentially fraudulent transactions. For example, such rules or indicia may include, but are not limited to: (1) the number of times a particular PAN has been used in the last 24 hours; (2) how many times an account was used at a merchant outside the country in which it was issued; (3) if the password or other authentication credential recently reset; (4) if the password was created immediately before the current transaction; or (5) if a number of relatively small transactions were executed just prior to a larger transaction" see also Figure 6 and [0056] disclosing a variety of features and techniques used for comparison which includes a long term variable, such as geo-location checking (as disclosed in Specifications [0033]), and a short term variable, such as velocity checking (as disclosed in Specifications [0034])). For long term variable, see also [0063] "The data inputs to RME 702 may include, but are not limited to, Authentication History Server data 710 (obtained from AHS 310 of FIG. 4) and Payment Transaction data 712 (which may include indications of known fraudulent accounts or transactions)" and see also Figure 6).

As per Claim 18, Dominguez discloses the method of Claim 14, wherein generating RBA result data further comprises:
determining a risk level based on the RBA result data ([0061] "The rules stored in Rule Base 706 are used by Risk Assessment Engine 707 to evaluate whether a proposed transaction is likely to be fraudulent (i.e., whether there is an acceptable or an unacceptable level of risk that the transaction is fraudulent)").

Dominguez may not explicitly disclose, but Weller discloses the following:
if the risk level is low, embedding an indicator in the authentication response message indicating that the current transaction is fully authenticated ([0169] "The risk levels may alternatively be referred to as risk scores. For example, the levels of risk may be defined as the follows: "Low risk transactions" are passively authenticated; in the majority of cases, the cardholder is not cognizant of the authentication process" as disclosed in Table 1 - Passive Authentication means the transaction is fully authenticated since enough information was provided for authentication); and
if the risk level is not low, embedding one or more indicators in the authentication response message indicating that the current transaction is a merchant only transaction and that authentication was attempted ([0169] also discloses of "Medium-high risk transactions" and "very high risk transactions", which the authentication response sent to the merchant indicates "pass, fail, passive authentication, attempt or unavailable" in regards to the risk levels, further discussed in [0170] regarding challenge request for risk scores in medium to high range. As recited in the Specifications [00152] ""merchant only" transactions are more risky transactions" therefore the "merchant only" indication has been interpreted as a "risky" transaction).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize a risk level indicator in the authentication response message as in Weller in the system executing the method of Dominguez with the motivation of offering to provide [0006] "better ways to authenticate consumers" as taught by Weller over that of Dominguez.

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Dominguez, in view of Weller in further view of Kowalchyk, and in view of Diev et al. (U.S. 2017/0228635).

As per Claim 2, Dominguez may not explicitly disclose, but Diev discloses the authentication platform of Claim 1, wherein the RBA result data further include at least one reason code that indicates at least one factor that influenced the generated risk score ([0017] "the predetermined input variable categories of input variables comprise reason codes that identify the input variables that contributed to the computed set of attribution scores").
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize a reason code as in Diev in the system executing the method of Dominguez with the motivation of offering to [0153] "significantly improve the reliability of an operational system that relies on the live or real-time processing of the data streams" as taught by Diev over that of Dominguez.

Claims 4-6 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Dominguez, in view of Weller in further view of Kowalchyk, and in view of Davis (U.S. 2006/0179007).

As per Claim 4, Dominguez may not explicitly disclose, but Davis discloses the authentication platform of Claim 3, wherein the at least one processor programmed to:
wait a predetermined period of time for a response from the ACS ([0032] "3) the central transaction server 280 timed out waiting on a response from the ACS 225"); and
determine that the ACS is unavailable if no response is received after the predetermined period of time ([0040] "the ACS 225 ... does not reply to the central transaction server 280 within a predetermined period of time … the ACS 225 cannot authenticate the electronic commerce card information").
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize a time limit as in Davis in the system executing the method of Dominguez with the motivation of offering to [0004] "facilitate monitoring and management, increase overall reliability and fault tolerance, and simplify system upgrades and migrations" as taught by Davis over that of Dominguez.

As per Claim 5, Dominguez may not explicitly disclose, but Davis discloses the authentication platform of Claim 3, wherein the at least one processor programmed to receive a response from the ACS, wherein the response indicates that the ACS is unable to perform authentication ([0039] "The ACS 225 returns an authentication response 266 to the central transaction server 280, which in turn forwards an authentication response 278 to the cardholder system 205 … Alternatively, the authentication response can include a message indicating that the authentication failed. In a further embodiment, the authentication response also includes an error code identifying the reason for authentication failure" wherein the reason for failure can indicate that the ACS is unable to perform authentication as given by examples in [0040] "If, for example, the ACS 225 does not support authentication functions, the ACS 225 is not operating ...").
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize ACS unavailable response message as in Davis in the system executing the method of Dominguez with the motivation of offering to [0004] "facilitate monitoring and management, increase overall reliability and fault tolerance, and simplify system upgrades and migrations" as taught by Davis over that of Dominguez.

As per Claims 6 and 16, Dominguez may not explicitly disclose, but Davis discloses the authentication platform of Claim 5 and the method of Claim 15, wherein the response indicates at least one of an online user associated with the current transaction is not enrolled with the ACS, the ACS is currently unavailable, or the ACS was unable to authenticate the online user (the reason for authentication failure can indicate that the ACS is unavailable to perform authentication as given by the examples in [0040] "If, for example, the ACS 225 does not support authentication functions, the ACS 225 is not operating …").
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize ACS unavailable response message as in Davis in the system executing the method of Dominguez with the motivation of offering to [0004] "facilitate monitoring and management, increase overall reliability and fault tolerance, and simplify system upgrades and migrations" as taught by Davis over that of Dominguez.

As per Claim 15, Dominguez may not explicitly disclose, but Weller discloses the method of Claim 14, wherein determining if the ACS is available further comprises:
transmitting the authentication request message to the ACS (Figure 10 - step 124 sends a PAReq message to the ACS as disclosed [0142] "The cardholder 1010 sends the PAReq to the TRS/Online C-R 1040, and the TRS/Online C-R 1040 can then send the PAReq to the ACS 1050" which in step 125 the ACS is determined to be unavailable).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize a message to the ACS as in Weller in the system executing the method of Dominguez with the motivation of offering to provide [0006] "better ways to authenticate consumers" as taught by Weller over that of Dominguez.

Dominguez may not explicitly disclose, but Davis discloses the following:
waiting a predetermined period of time for a response from the ACS ([0032] "3) the central transaction server 280 timed out waiting on a response from the ACS 225"); and
determining that the ACS is unavailable if no response is received after the predetermined period of time ([0040] "the ACS 225 ... does not reply to the central transaction server 280 within a predetermined period of time … the ACS 225 cannot authenticate the electronic commerce card information").
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize a time limit as in Davis in the system executing the method of Dominguez with the motivation of offering to [0004] "facilitate monitoring and management, increase overall reliability and fault tolerance, and simplify system upgrades and migrations" as taught by Davis over that of Dominguez.

Claims 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Dominguez, in view of Weller in further view of Kowalchyk, and in view of Hey et al. (U.S. 2019/0188715).

As per Claims 12 and 19, Dominguez may not explicitly disclose, but Hey discloses the authentication platform of Claim 1 and the method of Claim 14, wherein to generate RBA result data, the at least one processor is programmed to:
determine whether the authentication request message complies with 3DS 2 Protocol or subsequent 3DS Protocol versions (See Figure 2 - steps 114 and 116, which is further discussed in Figure 3, wherein the AREQ message is sent from the "3DS Server" to "Validate Operator ID" to verify the compliance); and
bypass determining if the ACS is available if the authentication request message does not comply ([0031] "The interchange network system 22 may determine whether the merchant ID contained in the AREQ is valid, as shown in 120, and if it is not, then the interchange network system 22 may send to the merchant device 18 a denial message rejecting the authentication request message, as shown in 118" which bypasses any steps to be taken with the ACS but just ends the process as shown in Figures 2 and 3).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize 3DS Protocol compliance as in Hey in the system executing the method of Dominguez with the motivation of offering to [0007] "protect against fraud by requiring and validating merchant and card issuer operator IDs prior to authorizing the transactions" as taught by Hey over that of Dominguez.

Response to Arguments
Applicant’s arguments, see page 9, filed 18 May 2022, with respect to the 35 U.S.C. 112(a) rejection have been fully considered and are persuasive. However, upon further consideration, a new ground of 35 U.S.C. 112(a) rejection is made in view of the claim limitation “generate an authentication model specific to a particular issuer bank associated with the ACS, the authentication model generated by comparing i) transactions previously authenticated by the ACS with ii) historical data for all transactions previously processed by a payment processing network” as discussed above.
Applicant's arguments, see pages 10 to 13, with respect to 35 U.S.C. 101 rejection have been fully considered but they are not persuasive.
Applicant contends, see pages 10 to 12, that the claims do not recite an abstract idea. Examiner respectfully disagrees. As discussed above under 35 U.S.C. 101 rejection, considering the claims without the additional elements (e.g. processor, device, etc.), the method recited by the claims is a process of generating an authentication model, performing authentication, and providing the authentication decision to the merchant, with the goal of reducing fraud during the transaction process as disclosed by Specification [0054], [0061], [0064], and so forth, which is fundamental economic principles or practices. The process of performing authentication on behalf of another system (e.g. ACS), wherein the system is associated with a particular issuer bank, is still part of the abstract idea, which is simply performing authentication if the other person from the bank is unavailable to process the authentication. The method involves an interaction between a merchant and an issuer bank to receive request for authentication, authenticate the transaction, and send the authentication response, which is a commercial interaction. Fundamental economic principles or practices and/or commercial interactions are both certain methods of organizing human activity, therefore the claims are directed to an abstract idea.
Applicant contends, see page 12, that the present claims are subject-matter eligible under the Second Prong of Step 2A. Examiner respectfully disagrees. As discussed above under 35 U.S.C. 10 1rejection, the additional elements are generic computer components which are merely used to implement the abstract idea. The additional elements do not provide improvements to the functioning of a computer, or to any other technology or technical field, but rather implements mere “apply it”, which is to instruct the additional elements to perform their generic functionalities, such as: receive data, extract data, generate data, compare data, embed data, and transmit data. Therefore, the claims are not indicative of integration into a practical application. 
Applicant contends, see page 13, that the claims recite “significantly more” than the abstract idea itself under Step 2B. Examiner respectfully disagrees. As discussed above, considering the additional elements individually and/or as an ordered combination, the additional element are merely used as a tool to perform the abstract idea (e.g. “apply it”), which is not indicative of an inventive concept (aka “significantly more”). In BASCOM, the Federal Circuit concluded that the district court erred by failing to recognize that when combined, an inventive concept may be found in the non-conventional and non-generic arrangement of the additional elements, i.e., the installation of a filtering tool at a specific location, remote from the end-users, with customizable filtering features specific to each end user. 827 F.3d at 1350, 119 USPQ2d at 1242. However, the additional elements recited in the claims of the current application, the elements in combination does not amount to significantly more because it recites conventional and generic arrangement (e.g. generic computer components) being merely applied to the judicial exception. Additionally, as discussed above under 35 U.S.C. 112(a) rejection, the claim limitation regarding “generate an authentication model specific to a particular issuer bank” is not supported by the Specification, as disclosed in [0060] and [00153] “… to generate a risk model for each issuer bank” merely teaches that each issuer bank can utilize one generated risk model, which is broader than what is currently claimed. Therefore, the 35 U.S.C. 101 rejection is maintained. 
Applicant's arguments, see pages 13 to 18, with respect to 35 U.S.C. 103 rejection have been fully considered but they are not persuasive. Applicant contends that the referenced prior arts do not teach the limitation regarding “generating an authentication model” by “comparing data”. In view of the current amendment to the claims, and the interpretation of the claim language as discussed above under 35 U.S.C. 112(a) rejection for the limitations failing to comply with the written description requirement, the claim limitation is taught by the combination of the referenced prior arts as discussed above under 35 U.S.C. 103 rejection. Therefore, the 35 U.S.C. 103 rejection is maintained.
Applicant’s arguments, see pages 18 to 19, with respect to Non-statutory Double Patenting Rejection have been fully considered and are persuasive. The Non-statutory Double Patenting Rejection has been withdrawn. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Abrams et al. (U.S. 2015/0339477) teaches of using historical authentication data and historical data to generate a risk assessment model as disclosed in [0030-0032].
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY H JUNG whose telephone number is (571)270-5018.  The examiner can normally be reached on Mon - Fri 8:30 - 4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christine M Behncke can be reached on 571-272-8103.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/H.H.J./           Examiner, Art Unit 3697                                                                                                                                                                                            
	
	/CHRISTINE M BEHNCKE/           Supervisory Patent Examiner, Art Unit 3697