DETAILED ACTION
Claims 1-20 are currently pending and have been examined in this application.  This communication is the first action on the merits. 
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Applicant has submitted the DSMER.REQ (SB-456), and participation is granted.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 4/6/22 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

	
Response to Arguments


Applicant’s arguments regarding 103 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Applicant's arguments filed regarding 103 have been fully considered but they are not persuasive. 

Issue #1
Applicant: " The proposed Groarke-Tomasofsky combination fails to disclose, teach, or suggest all the limitations of independent Claim 1. As an example, the proposed Groarke-Tomasofsky combination fails to disclose, teach, or suggest the following limitations recited in Claim 1: determining that an issuer domain computer has configured, at the access control server computer, a decision function for delegating a second portion of the 3-D Secure authorization protocol to the issuer domain computer, wherein the issuer domain computer is a non-certified or non-compliant 3-D Secure service provider, and wherein the second portion of the 3-D Secure authorization protocol relates to determining whether to challenge the transaction; and " in response to determining that the issuer domain computer has configured the decision function at the access control server computer, transmitting, to the issuer domain computer, a decision request message for the second portion of the 3-D Active 00352.1.DOCX ATTORNEY DOCKETPATENT APPLICATION088853.010817/125,03312 of 13Secure authorization protocol and information associated with the transaction, the decision request message requesting the issuer domain computer to determine an action for authenticating the transaction based on the information associated with the transaction and one or more programmatic rules of the issuer domain computer, the transmitting occurring in lieu of the access control server computer executing the second portion of the 3-D Secure authorization protocol decision function at the access control server computer. Neither Groarke nor Tomasofsky discloses these limitations. Groarke does not appear to disclose delegating a portion of the 3DS protocol to a non-certified or non-compliant 3-D Secure service provider. Tomasofsky relates to, at most, delegation of the risk-based decisioning to an entity in the acquirer domain, such as a merchant. Furthermore, none of the other cited references, taken alone or in combination, remedy these omissions of Groarke and Tomasofsky. 


Examiner:  Groarke teaches the limitation “wherein the issuer domain computer is a non-certified or non-compliant 3-D Secure service provider, and” in at least 0020-0021.  Tomasofsky teaches the limitation “determining that an issuer domain computer has configured, at the access control server computer, a decision function for” in at least 0052, 0129 & 0131.  Similarly, Tomasofsky teaches the limitation “delegating a second portion of the 3-D Secure authorization protocol to the issuer domain computer” in at least 0118 & 0129-0130.  In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  



Allowable Subject Matter

Claims 6, 14 & 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.



Claim 6. The method of Claim 4, the executing the indicated action comprising: transmitting a second authentication request message to a payment application running on a user computer associated with the payment account, the payment application having been used to initiate the transaction, the second authentication request message requesting the payment application to authenticate the transaction based on biometric sensors of the user computer; receiving, from the payment application, an API call comprising a payload verification value specifying that a user associated with the user computer has been authenticated based on the biometric sensors in response to the second authentication request message; transmitting, to the issuer domain computer, an authentication response message specifying that the transaction is authenticated.

	

Claim Rejections - 35 USC § 101

35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
The claims are either directed to a system or method, which is one of the statutory categories of invention.  (Step 1: YES).
The Examiner has identified method Claim 1 as the claim that represents the claimed invention for analysis and is similar to system Claims 9 & 15.  Claim 1 recites the limitations of (additional elements emphasized in bold and are considered to be parsed from the remaining abstract idea): 


A computer-implemented method for authenticating e-commerce transactions, the method comprising, by one or more computer devices of an access control server computer comprising a 3-D Secure service provider: receiving, from a payment network computer, a first authentication request message to authenticate a transaction associated with a digital electronic payment account, wherein the transaction is initiated by a merchant computer in an acquirer domain; validating the first authentication request message according to a first portion of a 3-D Secure authorization protocol; determining that an issuer domain computer has configured, at the access control server computer, a decision function for delegating a second portion of the 3-D Secure authorization protocol to the issuer domain computer, wherein the issuer domain computer is a non-certified or non-compliant 3-D Secure service provider, and wherein the second portion of the 3-D Secure authorization protocol relates to determining whether to challenge the transaction; and in response to determining that the issuer domain computer has configured the decision function at the access control server computer, transmitting, to the issuer domain computer, a decision request message for the second portion of the 3-D Secure authorization protocol and information associated with the transaction, the decision request message requesting the issuer domain computer to determine an action for authenticating the transaction based on the information associated with the transaction and one or more programmatic rules of the issuer domain computer, the transmitting occurring in lieu of the access control server computer executing the second portion of the 3-D Secure authorization protocol decision function at the access control server computer; receiving, in response to the decision request message, an indication for an action for authenticating the transaction based on the decision request message sent to the issuer domain computer; executing the indicated action to authenticate the transaction.  




which is a process that, under its broadest reasonable interpretation, covers performance of the limitation(s) as a Certain method of organizing human activity (fundamental economic practice) of authenticating e-commerce transactions.  

If a claim limitation, under its broadest reasonable interpretation (BRI), covers performance of the limitation as a certain method of a fundamental economic practice, then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas.  

Accordingly, the claim recites an abstract idea. (Step 2A-Prong 1: YES. The claims are abstract)
This judicial exception is not integrated into a practical application. Limitations that are not indicative of integration into a practical application include:  (1) Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea (MPEP 2106.05.f), (2) Adding insignificant extra-solution activity to the judicial exception (MPEP 2106.05.g), (3) Generally linking the use of the judicial exception to a particular technological environment or field of use (MPEP 2106.05.h).  The computers and 3-D Secure authorization protocol in Claim 1 (as well as the processor & non-transitory CRM of Claim 9 and further the software of Claim 15) are just using generic computer components.  The computer hardware is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts to no more than mere instructions to implement an abstract idea by adding the words “apply it” (or an equivalent) with the judicial exception.  Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Therefore claim 1 is directed to an abstract idea without a practical application.  (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when considered separately and as an ordered combination, they do not add significantly more (also known as an “inventive concept”) to the exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using computer hardware amounts to no more than mere instructions to implement an abstract idea by adding the words “apply it” (or an equivalent) with the judicial exception.  Mere instructions to implement an abstract idea on or with the use of generic computer components, cannot provide an inventive concept - rendering the claim patent ineligible. Thus claim 1 is not patent eligible. (Step 2B: NO. The claims do not provide significantly more)  
The dependent claims further define the abstract idea that is present in their respective independent claims and hence are abstract for at least the reasons presented above.  The dependent claims do not include any additional elements (including Claims 5, 13 & 19 – payment application – which is just a computer tool used to implement the abstract idea; Claims 6, 14 & 20 – payment application, biometric sensors and an API – which are computer tools/generic computer components that further implement the abstract idea; Claim 8 – token – which is just a form of data representation) that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception when considered both individually and as an ordered combination.  Therefore, the dependent claims are directed to an abstract idea.  Thus, the aforementioned claims are not patent-eligible.
 
	
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4, 7-10, 12, 15-16 & 18 are rejected under 35 U.S.C. 103 as being unpatentable over Groarke (US 20160140558) in view of Tomasofsky (US 20160078436), and further in view of Allen (US 20180349909).


Claim 1. 

Groarke teaches the following limitations: 



receiving, from a payment network computer, a first authentication request message to authenticate a transaction associated with a digital electronic payment account, 


(Groarke – [0003] Those knowledgeable in the field recognize that the risk of financial fraud is greater for a remote transaction because there is less ability for the merchant to verify the identity and authenticity of the cardholder. The nature of such remote transactions, sometimes referred to as "card-not-present" or CNP transactions [0025] The acquirer FI computer 214 receives the purchase transaction authorization request and then forwards 223 the purchase transaction authorization request to a payment network 216 (which includes one or more computers and/or computer systems). The payment network 216 receives the purchase transaction authorization request and determines whether or not the bank identification number (BIN) of the cardholder's PAN falls within a range of PANs eligible for 3-D Secure OBO issuer service processing. (In some embodiments, one or more BIN ranges indicating payment card account eligibility is obtained from each issuer FI at the time a particular issuer FI registered or enrolled for 3-D Secure OBO issuer service processing, and these BIN ranges are then provided to the payment network 216.) When a BIN is matched to a BIN range, the payment system network 216 then transmits 225 the purchase transaction authorization request to the 3-D Secure OBO issuer service computer 210 for processing. [0053] The term "payment card account" also includes an account to which a payment card account number is assigned. Thus a payment card account may include an account to which payment transactions may be routed by a payment system that handles debit card and/or credit card transactions)

Examiner Note:  The enrollment forms the basis for the first request message.


wherein the transaction is initiated by a merchant computer in an acquirer domain;

(Groarke – [0022] browse the offerings on the merchant's website, selects merchandise
and/or services and then initiates a purchase transaction by providing payment card account information at the merchant's website checkout webpage (not shown) hosted by the merchant server 204. [0025] a Merchant Service Provider registered the merchants associated with a given acquirer FI…the merchant server 204 generates and transmits 221 a purchase transaction authorization request to the acquirer financial institution (FI) computer 214. The acquirer FI computer 214 receives the purchase transaction authorization request and then forwards 223 the purchase transaction authorization request to a payment network 216 (which includes one or more computers and/ or computer systems). [0038] The acquirer FI may then transmit 235 the transaction approved message to the merchant server 204, which transmits 237 a message to the consumer device 202. [0049] OBO issuer service computer may send a decline purchase transaction message to the merchant (for example, to the merchant server computer 204) via the merchant's acquirer FI computer)


validating the first authentication request message according to 

(Groarke – [0028] the fact that the purchase transaction authorization request passed through the OBO validation process indicates that the 3-D Secure OBO issuer service computer 210 has validated the UCAF.)

wherein the issuer domain computer is a non-certified or non-compliant 3-D Secure service provider, and 

(Groarke – [0020] 3-D Secure OBO issuer service computer 210 is shown, which may be operated by a service provider (which may be a third party provider)…an issuer financial institution (FI), such as a member bank of a payment card processor, may enroll with an issuer OBO interception and validation service in order to receive authorization messages for online transactions that include the actual universal card holder authentication field ("UCAF") to increase overall confidence in purchase transactions…the entity providing the 3-D Secure OBO issuer service (which provides an interception and validation service) may charge a fee or fees to issuer Fis for providing the service. [0021] issuer FI computer)

Examiner Note:  Issuer FI computer corresponds to issuer domain computer.  Issuer FI enrolls in a 3d secure obo issuer service for a 3d secure authentication service which it cannot administer on its own (non-certified or non-compliant).


    PNG
    media_image1.png
    556
    822
    media_image1.png
    Greyscale



Groarke does not explicitly teach the following limitations, however Tomasofsky teaches: 



a first portion of a 3-D Secure authorization protocol; 


(Tomasofsky – [0129] Steps 1040, 1045, 1050, and 1055 represent an example authentication transaction 1042 under the 3DS protocol. In some embodiments, authentication transaction 1042 is similar to transaction authentication 906 (shown in FIG. 9). In the example embodiment, MPI 1004 provides fraud-related data during a verification process to the issuing bank associated with the subject payment card (e.g., issuer 30) and/or an access control server (ACS) 1006 associated with issuer 30. More specifically, MPI 1004 provides fraud-related data to ACS 1006 using extension messages in the 3DS protocol within, for example, an enrollment check (VeReq, or "verification request") message 1044. [0117, 0132])



determining that an issuer domain computer has configured, at the access control server computer, a decision function for 

(Tomasofsky – [0052] a risk-based decisioning (RBD) module (not separately shown in FIG. 1) that is configured to analyze various data associated with the payment card transaction and provide various services to one or more parties involved in the payment
card transaction, such as merchant 24 and issuer 30. [0129] MPI 1004 provides fraud-related data during a verification process to the issuing bank associated with the subject payment card (e.g., issuer 30) and/or an access control server (ACS) 1006 associated with issuer 30. [0131] ACS 1006 on behalf of issuer 30, may use the fraud-related data for many uses such as, for example, implementing their own risk-based decisioning system similar to RBD 750, 920.)


delegating a second portion of the 3-D Secure authorization protocol to the issuer domain computer, 

(Tomasofsky – [0129] Steps 1040, 1045, 1050, and 1055 represent an example authentication transaction 1042 under the 3DS protocol. In some embodiments, authentication transaction 1042 is similar to transaction authentication 906 (shown in FIG. 9). In the example embodiment, MPI 1004 provides fraud-related data during a verification process to the issuing bank associated with the subject payment card (e.g., issuer 30) and/or an access control server (ACS) 1006 associated with issuer 30. More specifically, MPI 1004 provides fraud-related data to ACS 1006 using extension messages in the 3DS protocol within, for example, an enrollment check (VeReq, or "verification request") message 1044. [0130] as a part of 3DS enrollment check, MPI 1004, network 28, and ACS 1006 utilize a non-critical extension to a 3DS VeReq message 1044 to pass fraud-related information to issuer 30 and/or ACS 1006. [0118])




wherein the second portion of the 3-D Secure authorization protocol relates to determining whether to challenge the transaction;


(Tomasofsky – [0129] Steps 1040, 1045, 1050, and 1055 represent an example authentication transaction 1042 under the 3DS protocol. In some embodiments, authentication transaction 1042 is similar to transaction authentication 906 (shown in FIG. 9). In the example embodiment, MPI 1004 provides fraud-related data during a verification process to the issuing bank associated with the subject payment card (e.g., issuer 30) and/or an access control server (ACS) 1006 associated with issuer 30. More specifically, MPI 1004 provides fraud-related data to ACS 1006 using extension messages in the 3DS protocol within, for example, an enrollment check (VeReq, or "verification request") message 1044. [0130] as a part of 3DS enrollment check, MPI 1004, network 28, and ACS 1006 utilize a non-critical extension to a 3DS VeReq message 1044 to pass fraud-related information to issuer 30 and/or ACS 1006. [0118] if risk result 922 includes a recommendation for additional authentication of suspect consumer 902, or if the risk score satisfies a second pre-defined threshold, which may be the same as or different from the first pre-defined threshold (i.e., the risk sore indicates that the transaction is more risky), then additional authentication of suspect consumer 902 will be performed. More specifically, TPS 910 initiates (e.g., transmits) a request to an additional authentication service 930, and the authentication service 930 performs an authentication challenge 932 of suspect consumer 902.)


in response to determining that the issuer domain computer has configured the decision function at the access control server computer, transmitting, to the issuer domain computer, a decision request message for the second portion of the 3-D Secure authorization protocol and information associated with the transaction, 

(Tomasofsky – [0116] TPS 910 transmits a scoring request to a risk-based decisioning (RBD) system 920 for fraud analysis and scoring. In some embodiments, RBD system 920 is a third-party fraud screening service. In other embodiments, RBD system 920 is provided by network 28 or issuer 30 (shown in FIG. 1). In some embodiments, RBD system 920 is similar to RBD system 121 (shown in FIGS. 2 and 3) and/or RBD module 750 (shown in FIGS. 7 and 8). In the example embodiment, the scoring request to RBD system 920 includes infrastructure data such as one or more of transaction data, information about a computing device used to conduct the subject transaction (“device information”, e.g., geo-location data of the device Internet protocol (IP) address), additional payment card information not included in the transaction data (“payment card information”), information about a digital wallet used to conduct the subject transaction (“digital wallet information”, e.g., whether and/or how often this particular device has been used in conjunction with this digital wallet), and cart data associated with the subject transaction (“cart data”).  [0118] if risk result 922 includes a recommendation for additional authentication of suspect consumer 902, or if the risk score satisfies a second pre-defined threshold, which may be the same as or different from the first pre-defined threshold (i.e., the risk sore indicates that the transaction is more risky), then additional authentication of suspect consumer 902 will be performed. More specifically, TPS 910 initiates (e.g., transmits) a request to an additional authentication service 930, and the authentication service 930 performs an authentication challenge 932 of suspect consumer 902. [0129] MPI 1004 provides fraud-related data during a verification process to the issuing bank associated with the subject payment card (e.g., issuer 30) and/or an access control server (ACS) 1006 associated with issuer 30.)


the decision request message requesting the issuer domain computer to determine an action for authenticating the transaction based on the information associated with the transaction and one or more programmatic rules of the issuer domain computer, 

(Tomasofsky – [0122] under Verify Checkout, TPS 910 invokes RBD 920 to calculate risk result 922. RBD 920 may provide risk scoring as described above similar to RBD 750 (shown in FIGS. 7 and 8). In some embodiments, RBD 920 may provide scoring with default scoring rules (e.g., one or more default scoring rules stored in a memory of RBD 920), or may apply issuer- or merchant-specific settings (e.g., one or more fraud scoring configuration parameters received from a merchant or an issuer). [0133] The example VeReq message shown in Table 4 includes several fields that provide transaction data associated with the subject transaction, such as a primary account number at line (3), merchant information at lines ( 4) to (9) ( e.g., a merchant ID, an acquirer BIN), and purchase information at lines (11) to (17) ( e.g., a purchase amount and date). Further, the example VeReq message includes an extension section at lines (18) to (37). This extension section contains one or more elements of fraud-related information. [0135] <RiskDetermination> may also include a <recommendation> sub-section. <recommendation> represents a recommended course of action based on <score>. In one embodiment, <recommendation> is an enumerated data type consisting of either "Good" or "Bad", which may be used by issuer 30 or ACS 1006 to determine whether or not to allow the transaction to process without further authentication (e.g., without 3DS step-up challenge 932 (shown in FIG. 9)).


the transmitting occurring in lieu of the access control server computer executing the decision function at the access control server computer; 

(Tomasofsky - [0116] TPS 910 transmits a scoring request to a risk-based decisioning (RBD) system 920 for fraud analysis and scoring. In some embodiments, RBD system 920 is a third-party fraud screening service. In other embodiments, RBD system 920 is provided by network 28 or issuer 30 (shown in FIG. 1). In some embodiments, RBD system 920 is similar to RBD system 121 (shown in FIGS. 2 and 3) and/or RBD module 750 (shown in FIGS. 7 and 8). [0129] Steps 1040, 1045, 1050, and 1055 represent an example authentication transaction 1042 under the 3DS protocol. In some embodiments, authentication transaction 1042 is similar to transaction authentication 906 (shown in FIG. 9). In the example embodiment, MPI 1004 provides fraud-related
data during a verification process to the issuing bank associated with the subject payment card (e.g., issuer 30) and/or an access control server (ACS) 1006 associated with issuer 30. More specifically, MPI 1004 provides fraud-related data to ACS 1006 using extension messages in the 3DS protocol within, for example, an enrollment check (VeReq, or "verification request") message 1044. [0131] Issuer 30, or ACS 1006 on behalf of issuer 30, may use the fraud-related data for many uses such as, for example,
implementing their own risk-based decisioning system similar to RBD 750, 920.)


receiving, in response to the decision request message, an indication for an action for authenticating the transaction based on the decision request message sent to the issuer domain computer; 

(Tomasofsky - [0135] <RiskDetermination> may also include a <recommendation> sub-section. <recommendation> represents a recommended course of action based on <score>. In one embodiment, <recommendation> is an enumerated data type consisting of either "Good" or "Bad", which may be used by issuer 30 or ACS 1006 to determine whether or not to allow the transaction to process without further authentication (e.g., without 3DS step-up challenge 932 (shown in FIG. 9)).


executing the indicated action to authenticate the transaction.  

(Tomasofsky – [0131] Based on the given result, the payment card transaction may be, for example, failed ( e.g., if the subject payment card is ineligible for 3DS step-up authentication) or authenticated (e.g., receiving an AUTHENTICATION_COMPLETE message indicates that the issuer has sufficient data to authenticate the suspect consumer without any further interaction with the cardholder) [0145] transmitting 1308 the message with the first risk score included within the at least one extension field to a party associated with the payment card transaction for use during authentication of the payment card transaction.)



It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Groarke with Tomasofsky in order to provide for sharing risk-based decisioning data with an issuer through the use of extensions to an authentication protocol [Tomasofsky – 0023].


Groarke does not explicitly teach the following limitations, however Allen teaches: 

by one or more computer devices of an access control server computer comprising a  3-D Secure service provider: 


(Allen – [0028] a merchant plug-in (MPI) 126 associated with the acquirer 104 and an access control server (ACS) 128 associated with the issuer 108. In particular, the ACS 128 is configured to provide enhanced authentication services (e.g., via 3-D Secure protocols, etc.) for use in authenticating the authorizing user 114 (and other users, as appropriate)…the ACS 128 may comprise and/or may be incorporated in any suitable computing devices (e.g., the computing devices 200 associated with the acquirer 104 and the issuer 108, respectively; etc.) and/or may include any protocols (e.g., including, but not limited to, the 3-D Secure protocols, etc.), for example, that take part in authenticating the authorizing user 114 prior to permitting/authorizing purchase transactions by the transacting user 112 to the payment account of the authorizing user 114.)

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Groarke with Allen in order to configure an access control server to provide 3-D Secure authentication services [Allen – 0028].



Claim 2. 

Goarke in combination with the references taught in Claim 1 teach those respective limitations.  Groarke does not explicitly teach the following limitations, however Tomasofsky further teaches:

the receiving the indication for the action comprising receiving a decision response message from the issuer domain computer specifying the indicated action.  

(Tomasofsky - [0135] <RiskDetermination> may also include a <recommendation> sub-section. <recommendation> represents a recommended course of action based on <score>. In one embodiment, <recommendation> is an enumerated data type consisting of either "Good" or "Bad", which may be used by issuer 30 or ACS 1006 to determine whether or not to allow the transaction to process without further authentication (e.g., without 3DS step-up challenge 932 (shown in FIG. 9)).






Claim 4. 

Goarke in combination with the references taught in Claim 1 teach those respective limitations.  Groarke does not explicitly teach the following limitations, however Tomasofsky further teaches:


the indicated action being to challenge the transaction, and in response to receiving the indication for the action, transmitting a challenge message to the payment network computer to notify the payment network computer that the transaction is being challenged.  

(Tomasofsky – [0048] Using an interchange network 28 (payment network), computers of merchant bank 26 or merchant processor will communicate with computers of an issuer bank 30 to determine whether cardholder's 22 account 32 is in good standing and whether the purchase is covered by cardholder's 22 available credit line. Based on these determinations, the request for authorization will be declined or accepted. If the request is accepted, an authorization code is issued to merchant 24. [0118] if risk result 922 includes a recommendation for additional authentication of suspect consumer 902, or if the risk score satisfies a second pre-defined threshold, which may be the same as or different from the first pre-defined threshold (i.e., the risk sore indicates that the transaction is more risky), then additional authentication of suspect consumer 902 will be performed. More specifically, TPS 910 initiates (e.g., transmits) a request to an additional authentication service 930, and the authentication service 930 performs an authentication challenge 932 of suspect consumer 902. [0135] <RiskDetermination> may also include a <recommendation> sub-section. <recommendation> represents a recommended course of action based on <score>. In one embodiment, <recommendation> is an enumerated data type consisting of either "Good" or "Bad", which may be used by issuer 30 or ACS 1006 to determine whether or not to allow the transaction to process without further authentication (e.g., without 3DS step-up challenge 932 (shown in FIG. 9) [Fig. 9])



Claim 7. 

Goarke in combination with the references taught in Claim 1 teach those respective limitations.  Groarke does not explicitly teach the following limitations, however Tomasofsky further teaches:


the indicated action being to exempt the transaction, the method further transmitting, to the issuer domain computer, an authentication response message specifying that the transaction is authenticated.  

(Tomasofsky - [0135] <RiskDetermination> may also include a <recommendation> sub-section. <recommendation> represents a recommended course of action based on <score>. In one embodiment, <recommendation> is an enumerated data type consisting of either "Good" or "Bad", which may be used by issuer 30 or ACS 1006 to determine whether or not to allow the transaction to process without further authentication (e.g., without 3DS step-up challenge 932 (shown in FIG. 9)).



Claim 8. 

Goarke in combination with the references taught in Claim 1 teach those respective limitations.  Groarke does not explicitly teach the following limitations, however Tomasofsky further teaches:


generating a card token for a payment card associated with the transaction, the information associated with the transaction comprising the card token.  

(Tomasofsky – [0082] device data 610 and/or payment card data 620 may include a recognized secure element such as, for example, a token associated with a particular device and/or payment card (e.g., as with MasterCard® Digital Enablement Service (MDES), or Digital Secure Remote Payments (DSRP)). In some embodiments, this secure element may be provided by a piece of hardware such as a separate computing device that is separated from the device being used in the payment card transaction. For example, during a prior payment card transaction involving digital wallet 600, the secure element is generated and/or validated as a part of the transaction [0122] VeReq message shown in Table 4 includes several fields that provide transaction data associated with the subject transaction, such as a primary account number)

Claim 9. 


Groarke teaches the following limitations: 


an access control server computer comprising one or more processors and one or more computer- readable non-transitory storage media coupled to one or more of the processors, the one or more computer-readable non-transitory storage media comprising instructions operable when executed by one or more of the processors cause the system to perform: 

(Groarke – [Fig. 2, 0044])


The remainder of the claim is rejected using the same rationale as Claim 1.

Claim 10. 

Rejected using the same rationale as Claim 2.


Claim 12. 

Rejected using the same rationale as Claim 4.


Claim 15. 

Groarke teaches the following limitations: 


One or more computer-readable non-transitory storage media of embodying software that is operable for authenticating e-commerce transactions when executed cause one or more processors of an access control server computer to perform: 

(Groarke – [Fig. 2, 0004, 0044])


The remainder of the claim is rejected using the same rationale as Claim 1.

Claim 16. 

Rejected using the same rationale as Claim 2.


Claim 18. 

Rejected using the same rationale as Claim 4.


Claims 3, 11 & 17 are rejected under 35 U.S.C. 103 as being unpatentable over Groarke (US 20160140558) in view of Tomasofsky (US 20160078436), and further in view of Allen (US 20180349909), and further in view of Palanisamy (US 20150199679).


Claim 3. 

Goarke in combination with the references taught in Claim 1 teach those respective limitations.  Groarke does not explicitly teach the following limitations, however Tomasofsky further teaches:


the receiving the indication for the action comprising: … decision request message


(Tomasofsky - [0135] <RiskDetermination> may also include a <recommendation> sub-section. <recommendation> represents a recommended course of action based on <score>. In one embodiment, <recommendation> is an enumerated data type consisting of either "Good" or "Bad", which may be used by issuer 30 or ACS 1006 to determine whether or not to allow the transaction to process without further authentication (e.g., without 3DS step-up challenge 932 (shown in FIG. 9)).


determining the action based on a default action.  

(Tomasofsky – [0107] RBD module 750 may provide a default set of rules that are used to generate risk result 752.)


Groarke does not explicitly teach the following limitations, however Palanisamy further teaches:
determining that the issuer domain computer has not responded to the [decision request] message within a specified time period; 

(Palanisamy – [0090]  the issuer server computer 150 may not respond to the provisioning request message within a predetermined amount of time. [0057])

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Groarke with Palanisamy in order to provision tokenized payment credentials via a provisioning request message within a predetermined period of time [Palanisamy – 0007, 0057].

Claim 11. 

Rejected using the same rationale as Claim 3.

Claim 17. 

Rejected using the same rationale as Claim 3.




Claims 5, 13 & 19 are rejected under 35 U.S.C. 103 as being unpatentable over Groarke (US 20160140558) in view of Tomasofsky (US 20160078436), and further in view of Allen (US 20180349909), and further in view of Agarwalla (US 20190197527), and further in view of Malhotra (US 20210021589).


Claim 5. 

Goarke in combination with the references taught in Claim 4 teach those respective limitations.  Groarke does not explicitly teach the following limitations, however Tomasofsky further teaches:

the executing the indicated action comprising: 

(Tomasofsky – [0131] Based on the given result, the payment card transaction may be, for example, failed ( e.g., if the subject payment card is ineligible for 3DS step-up authentication) or authenticated (e.g., receiving an AUTHENTICATION_COMPLETE message indicates that the issuer has sufficient data to authenticate the suspect consumer without any further interaction with the cardholder) [0145] transmitting 1308 the message with the first risk score included within the at least one extension field to a party associated with the payment card transaction for use during authentication of the payment card transaction.)

transmitting, to the issuer domain computer, an authentication response message specifying that the transaction is authenticated.  

(Tomasofsky - [0135] <RiskDetermination> may also include a <recommendation> sub-section. <recommendation> represents a recommended course of action based on <score>. In one embodiment, <recommendation> is an enumerated data type consisting of either "Good" or "Bad", which may be used by issuer 30 or ACS 1006 to determine whether or not to allow the transaction to process without further authentication (e.g., without 3DS step-up challenge 932 (shown in FIG. 9)).


Groarke does not explicitly teach the following limitations, however Agarwalla further teaches:

transmitting, to a digital electronic address associated with the payment account, a second authentication request message comprising 

(Agarwalla – [0057] The Website associated with the online merchant may send a verification link to the email address and/or the phone number to verify the account details of the user. [0063] processor 302 is configured to lookup the email address and/or the phone number in the database 206 to determine if a record of a user digital wallet account exists among the plurality of digital wallet accounts. It is noted that the digital wallet account of the user may include information related to one or more payment cards and shipping information)

a one-time password and instructions to input the one-time password in a payment application running on a user computer, the payment application having been used to initiate the transaction; 

(Agarwalla –  [0073] provision a message including a password-reset link to the user to facilitate activation of the created digital wallet account. As explained with reference to FIG. 5B, the message may be embodied as an Email message [0075] authentication of the user subsequent to the activation of the created digital wallet account to facilitate addition of the payment card to the digital wallet account. To authenticate the user, 3DS or any known authentication mechanism, may be utilized…the processor 302 may cause the merchant application (i.e. the merchant Website or the merchant mobile application) to display a UI requesting the user to input One Time Password (OTP). The processor 302 may be configured to provision the OTP to the user's phone number and/or email address.)


    PNG
    media_image2.png
    416
    386
    media_image2.png
    Greyscale




It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Groarke with Agarwalla in order to facilitate digital wallet based payment card transactions using OTP [Agarwalla – abstract, 0075].

Groarke does not explicitly teach the following limitations, however Malhotra further teaches:


receiving a confirmation message from the [payment application] indicating that an input password received by the [payment application] matches the one-time password; 

(Malhota – [claim 1] when the received OTP matches the transmitted OTP, compiling and storing, by the computing device, in memory associated with the computing device, an identity for the user based on the identifying data for the user; receiving, by the computing device, an IoT device ID associated with an IoT device, from the application included in the communication device; appending, by the computing device, the IoT device ID to the identity of the user; receiving, by the computing device, a request indicator from the IoT device, the request indicator including the IoT device ID; seeking, by the computing device, authentication of the user at the communication device, via the application; and in response to the request indicator, providing, by the computing device, to the IoT device, a confirmation of authentication of the user and/or a portion of the identifying data from the stored identity of the user, when an authentication input from the communication device matches the stored identity of the user)

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Groarke with Malhotra in order to provide a confirmation message when a received OTP matches a transmitted OTP [Malhotra – claim 1].

Claim 13. 

Rejected using the same rationale as Claim 5.


Claim 19. 

Rejected using the same rationale as Claim 5.


Conclusion
The prior art made of record, and not relied upon, considered pertinent to applicant' s disclosure or directed to the state of art is listed on the enclosed PTO-892.  
The following is a brief description for relevant prior art that was cited but not applied:	

Groarke (US 10607220) provides a method for consolidated message processing using 3DS (see Fig. 4 & 7).

Hammad (US 9792611) provides a secure transaction and authentication system using the 3-D secure protocol.

Piel (US 20170091772) provides a method and system for authentication data collection and reporting using 3-D Secure (3DS).

Landrok (US 20150142666) provides an authentication service for hosting in trusted server environments includes a validation process for validating the identities of mobile users from a server's vantage point in the Cloud.

Golan (US 20040254848) provides a financial transaction system having a set of transaction facilitating protocols which may be used in conjunction with a 3D Secure system.

Gilbert (US 20150161608) provides an improved authentication system for financial transactions using the 3-D secure protocol.



THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULMAJEED AZIZ whose telephone number is (571)270-5046. The examiner can normally be reached M-F 7-4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ryan Donlon can be reached on 571-270-3602. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ABDULMAJEED AZIZ/Primary Examiner, Art Unit 3695