DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submissions filed on July 5, 2022 and August 3, 2022 have been entered.

Acknowledgment and Response to Remarks
This Action is in response to the request for continued examination filed on August 3, 2020, and the amendment filed on July 5, 2022. Claims 1-20 are pending and have been fully examined. 
With respect to the 103 rejections, Applicant’s amendments and remarks were fully considered, but are moot in light of new grounds of rejection. 

Rejections under 35 § U.S.C. 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all 
obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-4 and 11-14 are rejected under 35 U.S.C. 103 as being unpatentable over US 7,567,920 (“Hammad”) and US 2013/0227651 (“Schultz”) and EP 2339543 A2 (“Cabezas”) and US 2013/0030997 (“Spodak”).
With respect to claims 1 and 11, Hammad discloses:
receiving, by an access device (access device 14a, 14b) and from a communication device (e.g. portable communication device 32) operated by a user, credential data, the credential data comprising a primary account number (Track 1 and Track 2 data: Col. 9 ll. 13-27) associated with the communication device (Col. 10 ll. 17-31);  Note: the limitation “the credential data comprising a primary account number associated with the communication device” does not distinguish over the prior art because it is describing the data and does not affect the steps/functions of the claims in a manipulative sense.  
requesting, by the access device and from a server computer via a network, historical use data by the user with the access device; (authorization request message: Col. 10 ll. 39-46, Col. 11 ll. 4-37, Col. 11 ll. 49-59)
receiving, by the access device and from the server computer, the historical use data; (Col. 11 ll. 22-37)

and initiating, by the access device, an offline data authentication (ODA) process (e.g. off-line model) using the received credential data from the communication device, (Col. 4 ll. 14-49)
the online authorization request modified using the historical use data; (Col. 11 ll. 22-37)
in response to receiving, by the access device and from the server computer, an authorization response message within a predetermined period of time (time out feature), the predetermined period of time occurring after transmitting the credential data (PAN) in the authorization request message to the server computer: (Col. 15 ll. 40-67)
determining whether to grant or deny the user access to a resource based on the received authorization response message, or a result of the ODA process (Col. 9 ll. 18-53, Col. 12 ll. 15-49).
Although Hammad discloses an access device that receives credential data and can perform both online and offline authorization, Hammad does not specifically disclose: 
simultaneously initiating an online authorization request and offline data authentication (ODA) process; 
the ODA process comprising: 
transmitting, by the access device, a challenge message; 
receiving, by the access device and form the communication device, a challenge response and identifying information associated with the communication device;  
authenticating, by the access device, of the communication device using the challenge response and the identifying information based on dynamic data authentication, the dynamic data authentication including: 
generating, by the communication device, a dynamic digital signature that is valid for only one authentication using the credential data and access device data from the access device; and 
validating, by the access device, the generated dynamic digital signature using an integrated circuit card public key stored on the communication device, the generated dynamic digital signature received by the access device from the communication device; 
actuate, by the access device, an associated gate device in response to determining to grant the user access to the resource based on the received authorization response message.
However Schultz, in analogous art of user authentication, discloses:
simultaneously (e.g. concurrent) initiating an online authorization request (e.g. online) and offline data authentication (ODA) process (e.g. offline) (Section [0063]); 
the ODA process comprising: transmitting, by the access device (e.g. biometric authenticator), a challenge message (e.g. message) (Section [0070]); 
receiving, by the access device and from the communication device (e.g. mobile device), a challenge response (e.g. response) and identifying information (e.g. mobile device identifier) associated with the communication device (Section [0070]-[0072]); 
authenticating, by the access device, of the communication device using the challenge response (e.g. determines a user authentication confidence score that may be used to authorize a transaction, authorize access to resources, access to a facility) and the identifying information (e.g. determines whether the context information matches one or more criteria associated with the multi-factor authentication procedure)… (Section [0070]-[0072]).
It would have been obvious to one of ordinary skill in the art as of the effective filing date of the claimed invention to modify the user authentication process/system of Hammad to simultaneously initiate the offline and online authentication, as taught by Schultz, in order to provide a more confident authorization decision (See Schultz Section [0034]).
Further, since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself that is in the substitution of the offline authentication process of Schultz for the offline authentication process of Hammad.  Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious. 
Although Hammad/Schultz discloses an access device that simultaneously initiates online and offline authentication; and uses a challenge message/response for the offline authentication.  Hammad/Schultz does not specifically disclose:
the predetermined period of time occurring after transmitting the credential data in the authorization request message; 
actuate, by the access device, an associated gate device in response to determining to grant the user access to the resource based on the received authorization response message.  
However Cabezas, in analogous art of user authorization, discloses: 
within a predetermined period of time, the predetermined period of time occurring after transmitting the credential data in the authorization request message (e.g. “in relation to the case in which said condition is said maximum time without response, the method comprises the local system notifying said remote system of the online operation having been canceled due to said maximum time without response having been exceeded…” and “after cancelling said on-line operation, declaring as valid the transaction which was being performed when said cancellation occurred, only by means of the previously performed offline operations”) Sections [0017]-[0018];
actuate, by the access device, an associated gate device in response to determining to grant the user access to the resource based on the received authorization response message (e.g. toll stations, provided with an automatic machine for controlling the passage) (Section [0011]).
It would have been obvious to one of ordinary skill in the art to include in the authorization system of Hammad/Schultz the concept of authorizing based on receiving a response from the server within a predetermined period of time as taught by Cabezas since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Section [0001]-[0002] of Cabezas discloses that both offline and online authorization are used to maintain the fluidity of users to pass through the toll system.  One of ordinary skill in the art would use a predetermined period of time to receive a response as taught by Cabezas in the authorization system of Hammad/Schultz so that it maintains the fluidity of users to perform the transactions and reduce the risk of long lines.    
Although Hammad/Schultz/Cabezas discloses an access device that simultaneously initiates online and offline authentication; uses a challenge message/response for the offline authentication; and uses a predetermined period of time for the online authentication,  Hammad/Schultz/Cabezas does not specifically disclose:
authenticating… based on dynamic data authentication, the dynamic data authentication including:
generating, by the communication device, a dynamic digital signature that is valid for only one authentication using the credential data and access device data from the access device; and 
validating, by the access device, the generated dynamic digital signature using an integrated circuit card public key stored on the communication device, the generated dynamic digital signature received by the access device from the communication device; 
However Spodak, in analogous art of contactless transactions, discloses:
authenticating… based on dynamic data authentication (e.g. dynamic data authentication), the dynamic data authentication including:
generating a dynamic digital signature (e.g. digital signature) that is valid for only one authentication (e.g. unique digital signature for the particular transaction) using the credential data and access device data from the access device, and 
validating the generated dynamic digital signature using an integrated circuit card public key (e.g. public key) stored on the communication device, the generated dynamic digital signature received by the access device from the communication device (Section [0082]).  Note: the limitation “the dynamic data authentication including generating a dynamic digital signature that is valid for only one authentication using the credential data and access device data from the access device” does not distinguish over the prior art because it is describing the dynamic data authentication and is not positively recited as a step/function of the claims.  The as filed specification in section [0072] discloses that the communication device 110 generates the dynamic signature which is outside the scope of the claims that are directed to the steps/functions of the access device.  
It would have been obvious to one of ordinary skill in the art as of the effective filing date of the claimed invention to modify the user authentication process/system of Hammad/Schultz/Cabezas to use dynamic data authentication, as taught by Spodak, in order to increase the security of the system.
With respect to claims 2 and 12, Hammad/Schultz/Cabezas/Spodak discloses all of the limitations of claims 1 and 11 above.  Cabezas further discloses:
wherein the predetermined period of time (e.g. maximum time) is 500 milliseconds (ms) (Section [0015]-[0018]).  Note: Cabezas in section [0015]-[0018] discloses that a maximum time condition without a response is used to determine whether or not to perform the offline authorization.  The amount of time is a design choice and it would be obvious to make the period of time any amount.    
With respect to claims 3 and 13, Hammad/Schultz/Cabezas/Spodak discloses all of the limitations of claims 1 and 11 above.  Cabezas further discloses:
wherein the resource is at least one of a transit system (e.g. toll road), event venue, or building (Section [0009]).  
With respect to claims 4 and 14, Hammad/Schultz/Cabezas/Spodak discloses all of the limitations of claims 1 and 11 above.  Cabezas further discloses:
wherein the communication device comprises at least one of a mobile device or a payment card (e.g. magnetic card or chip card) or an EMV card) (Section [0009]).  

Claims 5-7, 9, 10, 15-17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hammad/Schultz/Cabezas/Spodak, as applied to claims 1 and 11 above, in further view of US 20080183589 A1 (“Dixon”).
With respect to claims 5 and 15, Hammad/Schultz/Cabezas/Roberts do not specifically disclose wherein the primary account number is used to initiate transactions at other access devices.  However Dixon, in analogous art of user authorization, discloses:
wherein the primary account number (e.g. PAN) is used to initiate transactions at other access devices (e.g. transit reader) (Section [0048]).  Note: the limitation “wherein the primary account number is used to initiate transactions at other access devices” does not distinguish over the prior art because it is describing the intended use of the primary account number and is not positively recited as a step/function of the claims.  
It would have been obvious to one of ordinary skill in the art to include in the authorization system of Hammad/Schultz/Cabezas/Spodak the concept of using the card information to initiate transactions at transit terminals as taught by Dixon since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  By using the card information to perform transactions at transit terminals, it provides the user with a convenient way to pay for transit access.    
With respect to claims 6 and 16, Hammad/Schultz/Cabezas/Spodak do not specifically disclose further comprising updating a blacklist based on at least one of the received authorization response message or the result of the ODA process.  However Dixon, in analogous art of user authorization, discloses:
further comprising updating a blacklist (e.g. black list) based on at least one of the received authorization response message (e.g. notification from issuer) or the result of the ODA process (Section [0055]).
It would have been obvious to one of ordinary skill in the art to include in the authorization system of Hammad/Schultz/Cabezas/Spodak the concept of updating a blacklist based on the authorization response as taught by Dixon since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Cabezas discloses the use of a blacklist in section [0022] to authorize a user.  By updating the blacklist of Cabezas based on the authorization response message (as taught by Dixon), it allows the system to be more secure and faster for future transactions.  
With respect to claims 7 and 17, Hammad/Schultz/Cabezas/Spodak do not specifically disclose in response to receiving, by the access device and from the server computer, the authorization response message following the predetermined period of time after transmitting the credential data in the authorization request message to the server computer, updating a blacklist based on the received authorization response message.  However Dixon, in analogous art of user authorization, discloses:
in response to receiving, by the access device and from the server computer, the authorization response message following the predetermined period of time after transmitting the credential data in the authorization request message (e.g. notification from issuer) to the server computer, updating a blacklist (e.g. black list) based on the received authorization response message (Section [0055]).
The motivation to combine Dixon with Hammad/Schultz/Cabezas/Spodak was disclosed above in the examination of claims 6 and 16.  
With respect to claims 9 and 19, Hammad/Schultz/Cabezas/Spodak do not specifically disclose wherein the server computer is a part of a payment processing network.  However Dixon, in analogous art of user authorization, discloses:
wherein the server computer (e.g. issuer) is a part of a payment processing network (Section [0035]).
It would have been obvious to one of ordinary skill in the art to include in the authorization system of Hammad/Schultz/Cabezas/Spodak the use of a payment processing network server as taught by Dixon since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  One of ordinary skill in the art would know that any type of server is capable of performing the functions of the claims and therefore it would be obvious to use any type of server including one that is part of a payment processing network.  
With respect to claims 10 and 20, Hammad/Schultz/Cabezas/Spodak do not specifically disclose wherein the credential data is received via a contactless communication protocol.  However Dixon, in analogous art of user authorization, discloses:
wherein the credential data is received via a contactless communication protocol (e.g. wireless/contactless) (Section [0038]-[0041]).
It would have been obvious to one of ordinary skill in the art to include in the authorization system of Hammad/Schultz/Cabezas/Spodak the use of a contactless communication protocol as taught by Dixon since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Since both Hammad and Dixon disclose transmitting payment card information to an access device, one of ordinary skill in the art would know that sending the payment card information of Hammad using a contactless communication protocol (as disclosed by Dixon) would produce predictable results.  


Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Hammad/Schultz/Cabezas/Spodak, as applied to claims 1 and 11 above, in further view of US 20170200149 A1 (“Antunovic”).
With respect to claims 8 and 18, Hammad/Schultz/Cabezas/Spodak do not specifically disclose wherein the credential data comprises a cryptogram, and wherein the result of the ODA process is indicative of whether the cryptogram is valid.  However Antunovic, in analogous art of authorization, discloses:
wherein the credential data comprises a cryptogram (e.g. cryptogram), and wherein the result of the ODA process is indicative of whether the cryptogram is valid (e.g. validated offline) (Section [0085]).
Since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself that is in the substitution of the cryptogram of Antunovic for the card information of Hammad.  Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SIMA ASGARI whose telephone number is (571)272-2037. The examiner can normally be reached M-F 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patrick McAtee can be reached on (571)272-7575. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/SIMA ASGARI/Examiner, Art Unit 3685                                                                                                                                                                                                        
/STEVEN S KIM/Primary Examiner, Art Unit 3685