DETAILED ACTION
Acknowledgements
This office action is in response to the claims filed October 29, 2020.
Claims 21-40 are pending and have been examined. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees.  See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970);and, In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent is shown to be commonly owned with this application.  See 37 CFR 1.130(b). Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer.  A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

Claim 24 is rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claim 1 of U.S. Patent No. 10861019 B2 to Prakash et al (“Patent Document”).  

Although the conflicting claims are not identical, they are not patentably distinct from each other. Claim 24 of the Patent Document recites all the limitations of claim 1 of the instant application; however, claim 1 of the Patent Document differs since it further recites additional claim limitations including: causing the transaction to be approved or declined based on whether the confidence level for the transaction is above a threshold confidence level.

However, it would have been obvious to a person of ordinary skill in the art to modify claim 24 of the Patent Document by removing the additional limitations noted above resulting generally in the claims of the present application, since the claims of the present application and the claim recited in the Patent Document actually perform a similar function.  It is well settled that the omission of an element and its function is an obvious expedient if the remaining elements perform the same function as before.  In re Karison, 136 USPQ 184 (CCPA 1963).  Also note Ex parte Rainu, 168 USPQ 375 (Bd. App. 1969).  Thus, omission of a reference element whose function is not needed would be obvious to one of ordinary skill in the art.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 21-40 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim1, for example, recites the limitation “…decrypts the cryptogram to obtain second location information...” which renders the claims indefinite. It’s unclear to a person of ordinary skill in the art how the decrypting the cryptogram has to do with obtaining the second location information when the cryptogram does not include the second location information. Appropriate correction is required.


Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.


Claims 21-40 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Powell et al (US 20150127547 A1) (“Powell”) in view of Heffez et al (US 20090102712 A1) (“Heffez”). 

As per claims 21, 31 & 33, Powell discloses:
obtaining, by a mobile device, first location information associated with the mobile device (e.g. a geo-location is the wireless detection of the physical location) […] (¶ [0089], [0104], [0045], [0050], [0097]; [0176]);
 generating, by the mobile device, a request for dynamic data (token) (¶ [0104], [0045], [0050], [0097]), the request including the first location information (¶¶ [0045], [0089, [0091], [00176], [0060], [0113]); 
transmitting, by the mobile device, the request to a server computer (¶¶ [0089, [0091], [00176], [0060], [0113]); 
receiving, by the mobile device, the dynamic data from the server computer (¶¶ [0013], [0114], [0097, [0100]]);
storing, by the mobile device, the dynamic data (¶¶ [0013], [0114], [0097, [0100]]);
 
generating, by the mobile device, a cryptogram including transaction data using the dynamic data, the transaction data corresponding to a transaction using the mobile device and a terminal device (¶¶ [0009], [0010], [0013], [0147]-[0151]); and 
transmitting, by the mobile device and to the terminal device, the cryptogram, wherein the terminal device thereafter transmits an authorization request message that includes the transaction data and the cryptogram to the server computer (¶¶ [0009], [0010], [0013], [0147]-[0151]), and 
wherein the server computer thereafter [obtains] the cryptogram to obtain second location information associated with the mobile device (location of merchant where the user is conducting a transaction) at a time of the transaction (¶ [0060], [0147]-[0151]), and 
determines a confidence level (assurance level) for the transaction (¶¶ [0089], [0091]) based at least in part on comparing the first location information and the second location information (¶¶ [0047], [0060], [0089], [0091], [0147], [0176]).  

Powell further discloses:
[0081] According to various embodiments of the present invention, the token assurance levels may range from no assurance to high assurance depending on the ID&V methodology performed, the entity performing the ID&V and the token service provider 116 that confirms the result of the assessment. Exemplary ID&V methods may include, but are not limited to, (1) no ID&V performed, (2) account verification, (3) token service provider risk score, (4) token service provider risk score with token requestor data, and (5) issuer authentication of the account holder. One of ordinary skill in the art will appreciate that the foregoing ID&V methods are provided for illustration purposes only and that additional ID&V methods may be defined and performed in accordance with embodiments of the present invention.

Powell does appear to expressly discloses:
obtaining first location information associated with the mobile device via a positioning system on the mobile device; 
decrypt the cryptogram; 

Heffez, however, discloses:
Obtaining first location information associated with the mobile device via a positioning system on the mobile device (¶¶ [0008], [0017], [0020], [0024]; fig. 4 & related text]); 
decrypt the cryptogram/transaction data (¶ [0060]); 

It would have been obvious to a person of ordinary skill in the art to modify Powell’s teachings to incorporate comparing consumers’ location obtaining from a GPS to merchant’s location, as disclosed by Heffez, to enhance security thereby preventing fraudulent transactions.

Heffez additionally discloses: 
[0044] In a third embodiment of the present invention, a method is provided for facilitating the detection of misuse of an identity during an electronic transaction, comprising the steps of: receiving a notification to authenticate the use of an identity at a first location, wherein the identity is associated with a first wireless terminal; reading a cached location of the first wireless terminal based on cached position information stored on the first wireless terminal, the location of the first wireless terminal being a second location; determining whether the first and second locations match in geographical proximity; determining a post-transaction location of the first wireless terminal if the first and second locations do not match in geographical proximity, the post-transaction location of the first wireless terminal being a third location; and generating an alert if: (1) the first and second locations do not match in geographical proximity and (2) the first and third locations do not match in geographical proximity.

[0045] Referring to the invention in general and with reference to the third embodiment, the post-transaction location can be obtained, for example, by processing GPS signals received by the first wireless terminal 160 within a reasonable time after the transaction (referred to hereinafter as "post-transaction GPS signals"). Post-transaction location can also be obtained, for example, using WiFi unique ID (if available) or WiMax unique ID. Alternatively, the post-transaction location can be obtained by using an inertial navigation module (INM) 400 (discussed infra) to convert the most recent cached location into a post-transaction location for the first wireless terminal, wherein updating the most recent cached position of the INM module is integrated into the design of the first wireless terminal (see, e.g., FIG. 3). Thus, the post-transaction location can be determined based on a method selected from the group consisting of: processing post-transaction GPS signals, WiFi unique ID, and WiMax unique ID, and any combination thereof. 


As per claim 22, Powell/ Heffez discloses as shown above.
Powell does not disclose wherein the server computer is configured to determine a distance-to-time ratio threshold for a user associated with the transaction, wherein the distance-to-time ratio threshold is specific to the user and determined based on past transactions of the user.

Heffez, however, discloses wherein the server computer is configured to determine a distance-to-time ratio threshold for a user associated with the transaction, wherein the distance-to-time ratio threshold is specific to the user and determined based on past transactions of the user (¶¶ [0016], [0037],[0038], [0039],  [0064]- [0072]; fig. 4 & related text]). 

It would have been obvious to a person of ordinary skill in the art to modify Powell’s teachings to incorporate comparing consumers’ location to merchant’s location, as disclosed by Heffez, to enhance security thereby preventing fraudulent transactions.

The examiner further notes that the following limitations have been considered but are not giving patentable weight because the limitations have been interpreted as intended use limitations that are not positively claimed:
to obtain second location information associated with the mobile device at a time of the transaction:
A recitation of the intended use of the claimed invention must result in a structural difference between the claimed invention and the prior art in order to patentably distinguish the claimed invention from the prior art.  If the prior art structure is capable of performing the intended use, then it meets the claim. See MPEP 2114 and Ex parte Masham, 2 USPQ2d 1647 (Bd. Pat. App. & Inter. 1987).  

	
As per claim 28 & 34, Powell/ Heffez discloses as shown above.
Powell further discloses Wherein the dynamic data is an encryption key that is a limited-use key (LUK) (¶¶ [0054], [0124]).

As per claims 29, 37 & 38, Powell/ Heffez discloses as shown above.
Powell further discloses wherein the dynamic data includes a dynamic account identifier (¶ ¶ [0049], [0108]).

As per claim 30, Powell/ Heffez discloses as shown above.
Powell further discloses wherein the second location information includes a terminal identifier associated with an access device used in the transaction, and the terminal identifier is used to determine a second location (¶¶ [0060], [0089], [0091], [0110], [0140], [0141]). 

As per claims 32 & 40, Powell/ Heffez discloses as shown above.
Powell further discloses the mobile device is a mobile phone (¶¶ [0060], [0089], [0091], [0110], [0140], [0141]). 

Claims 23-27 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Powell et al (US 20150127547 A1) (“Powell”) in view of Heffez et al (US 20090102712 A1) (“Heffez”) and further in view of Ferguson et al. (US 20110208601 A1) (“Ferguson”). 

As per claim 23, Powell/ Heffez discloses as shown above.
Powell does not disclose wherein the server computer is further configured to determine a distance between a first location corresponding to the first location information […] and a second location corresponding to the second location information associated with the transaction.

Heffez, however, discloses wherein the server computer is further configured to determine a distance between a first location corresponding to the first location information […] and a second location corresponding to the second location information associated with the transaction (¶¶ [0016], [0037],[0038], [0039],  [0064]- [0072]; fig. 4 & related text]). 
It would have been obvious to a person of ordinary skill in the art to modify Powell’s teachings to incorporate comparing consumers’ location to merchant’s location, as disclosed by Heffez, to enhance security thereby preventing fraudulent transactions. 


Powell does not disclose that the first location information associated with the request for the dynamic data.
Ferguson, however, discloses first location information associated with the request for dynamic data (¶¶ [0013], [0020], [0022]; claim 1; current location of a user). 

Ferguson further discloses:
[0022] With regard to the methods 200 and 400 described in FIGS. 2 and 3 respectively, a number of variables may be derived for a modeling and scoring process performed by the system 100 for any given moment in a financial account in determining the risk level at the blocks 222 and 420. In an embodiment, the derived variables include geographic distance between the home address of the customer 114 and a location of the current transaction point of service 122, geographic distance between an airport on the travel itinerary (as identified in card posting data, for example) and the point of service location of the current transaction, and/or time difference between the current transaction and the expected on-the-ground period of the nearest airport on the travel itinerary (as identified in posting data, for example). 

It would have been obvious to a person of ordinary skill in the art to modify Powell’s teachings to incorporate location information associated with a transaction request, as disclosed by Ferguson, to enhance security thereby preventing fraudulent transactions.

As per claim 24, Powell/ Heffez/ Ferguson discloses as shown above.
Powell does not disclose wherein determining the confidence level for the transaction is further based at least in part on the distance-to-time ratio threshold and a distance-to-time ratio derived from the determined distance and an amount of time between receiving the request for the dynamic data and receiving the authorization request message.

Heffez, however, discloses wherein determining the confidence level for the transaction is further based at least in part on the distance-to-time ratio threshold and a distance-to-time ratio derived from the determined distance and an amount of time between receiving the request for the dynamic data and receiving the authorization request message (¶¶ [0016], [0037],[0038], [0039],  [0064]- [0072]; fig. 4 & related text]). 

It would have been obvious to a person of ordinary skill in the art to modify Powell’s teachings to incorporate comparing consumers’ location to merchant’s location, as disclosed by Heffez, to enhance security thereby preventing fraudulent transactions.

As per claim 25 & 35, Powell/ Heffez/ Ferguson discloses as shown above.
Powell further discloses wherein the server computer is further configured to cause the transaction to be approved or declined based on whether the confidence level for the transaction is above a threshold confidence level (¶¶ [0089], [0091]).

As per claim 26 & 36, Powell/ Heffez/ Ferguson discloses as shown above.
Powell further discloses wherein the confidence level is determined using a function in which the confidence level has an inverse relationship to the distance between the first location and the second location.

Heffez, however, discloses wherein the confidence level is determined using a function in which the confidence level has an inverse relationship to the distance between the first location and the second location (¶¶ [0016], [0037], [0038], [0060], [0064]).

It would have been obvious to a person of ordinary skill in the art to modify Powell’s teachings to incorporate comparing consumers’ location to merchant’s location, as disclosed by Heffez, to enhance security thereby preventing fraudulent transactions.

As per claim 27, Powell/ Heffez/ Ferguson discloses as shown above.
Powell further discloses wherein determining the confidence level for the transaction is further based on verification of the cryptogram (¶¶ [0116], [0124], [0135], [0151], [0164], [0176]). 

Claims 39 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Powell in view of Heffez and further in view of Kumar et al (US 20170200160 A1) (“Kumar”). 

As per claim 39, Powell/ Heffez/ Ferguson discloses as shown above.
Powell does not upon determining that one or more limited-use conditions are no longer met, generate a notification to request a replacement dynamic key.

Kumar, however, discloses upon determining that one or more limited-use conditions are no longer met, generate a notification to request a replacement dynamic key (¶¶ [0004], [0005], [00006], [0030], [0033], [0035], [0036], [0040], [0043], [0044], [0046], [0053]).

It would have been obvious to a person of ordinary skill in the art to modify Powell’s teachings to incorporate updating a key/token, as disclosed by Kumar, to enhance security thereby preventing fraudulent transactions.

Claim Interpretation
Examiner finds that because the claims are indefinite under 35 U.S.C. §112 (b)paragraph, it is impossible to properly construe claim scope at this time. However, in accordance with MPEP §2173.06 and the USPTO's policy of trying to advance prosecution by providing art rejections even though these claims are indefinite, the claims are construed and the prior art is applied as much as practically possible.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is cited in the Notice of References Cited (form PTO-892).  
Patel et al (US 20130226800 A1) discloses:
[0030] In this embodiment, the mobile electronic device 7 also initiates an authentication process with the authentication system 5 at step S2-11, after transmitting the transaction details to the terminal. Alternatively, the mobile electronic device 7 may wait for and respond to a request from the authentication system 5 for details to verify the mobile electronic device 7. Accordingly, at step S2-13, the mobile electronic device 7 determines the physical location of the mobile electronic device 7 using its geo-location module 7b. The mobile electronic device 7 then transmits at step S2-15 data identifying the physical location of the mobile electronic device 7 to the authentication system 5.[0031] At step S2-16, the authentication system 5 receives the respective physical location details from both components of the merchant system 3. At step S2-17, the authentication system 5 uses the geo-location comparison module 5a to compare and verify that the physical location of the mobile electronic device 7 is within a predefined geographic distance of the merchant authentication terminal 13. This can be calculated by determining that the linear distance between the mobile electronic device 7 and the merchant authentication terminal 13 is less than a predefined threshold distance. It will be appreciated that the threshold distance may be set based on the physical dimensions of the merchant store. It will also be appreciated that the respective times that the physical locations are determined can be compared with the time of the present payment transaction to ensure that the merchant system 3 components are within the predefined proximity at substantially the same time the payment transaction is being processed. 

US 20170221059 A1 discloses:
4. One or more non-transitory computer readable storage mediums storing one or more sequences of instructions, which when executed by one or more processors, causes (a) receiving an input from said first user device comprising a request to associate a location specific token with a location; (b) associating said location specific token with said location, wherein said location specific token is specific to a location characterized by a threshold distance or a threshold area; (c) communicating said location specific token (i) to said first user device associated with a first user, wherein said location specific token is first obtained by said server before it is obtained by said first user device; or (ii) from said first user device associated with said first user, wherein said location specific token is first obtained by said first user device before it is obtained by said server, wherein said location specific token is communicated from said first user device to a second user device associated with a second user; (d) receiving said location specific token from said second user device; (e) comparing data based on said location specific token which is associated by said server with said location specific token which is received by said server from said second user device for a match; (f) obtaining a distance between a location associated with said location specific token of said first user device and a location associated with said location specific token of said second user device, wherein said location associated with said location specific token is a physical location or an assumed location of a user of a user device; and (g) processing an interaction between said first user and said second user when (i) said match is found between said location specific token which is associated by said server and said location specific token which is received by said server from said second user device, (ii) said distance between said location associated with said first user and said location associated with said second user is within said threshold area or said threshold distance, wherein said first user or said second user is inside or outside of said location characterized by said threshold area or said threshold distance, or (iii) said distance between said location associated with said location specific token of said first user device and said location associated with said location specific token of said second user device is within said threshold area or said threshold distance.

Royyuru (US 20080208759 A1) discloses: methods and systems are disclosed for executing financial transactions between customers and merchants. An identifier of a financial account is received from the customer at a merchant system. A one-time password is also received from the customer at the merchant system, with the customer having been provided with the one-time password by a mobile electronic device or contactless presentation instrument. A cryptogram is generated to included the identifier of the financial account encrypted using the one-time password. An authorization request is formulated at the merchant system. The authorization request includes the cryptogram and transaction information describing at least a portion of the financial transaction. The authorization request is transmitted from the merchant system to an authorization processor for authorization of the financial transaction. 


McChesney (US 20060271552 A1) discloses: There is provided a computer-implemented method for targeted delivery of content. The method includes (i) receiving first data that indicates (a) an identity of a person, (b) a subject location, and (c) a subject time at which the person is expected to be at the subject location, (ii) querying a database, based on the identity, to obtain second data about the person, (iii) matching content to the second data, and (iv) initiating a delivery of the content to a delivery location at a delivery time based on the subject location and the subject time.

Weis et al (US 20120185398 A1) discloses:
receiving, by a server computer from a mobile device (@first location), a request for dynamic data (e.g. confirmation key or confirmation number) (¶¶ [0088],[0090] [0285], [0286],  [0288];  Figs. 15, 16  & related text); 
storing the first location information and associating the first location information with the dynamic data; 
transmitting the dynamic data to the mobile device (¶¶ [0054], [0278]; Figs. 15, 16  & related text);
receiving an authorization request message for a transaction (e.g. from a second location), , and the dynamic data or transaction data generated from the dynamic data (¶¶ [0054], [0278]; Figs. 15, 16  & related text); 
comparing a first location corresponding to the first location information associated with the dynamic data and a second location corresponding to the second location information associated with the transaction; and 
determining a confidence level for the transaction based at least in part on the comparison of the first location and the second location.

Kim et al (US 20170061419 A1) discloses: an electronic device is provided. The electronic device includes a sensor, a communication interface, and a processor configured to acquire location information of the electronic device using the sensor, transmit a request for payment means information and the location information to a first external device using the communication interface, the payment means information being received by the first external device and generated by the first external device based on the transmitted location information, and transmit the payment means information to a second external device for use in payment using the communication interface. 

Ngo et al (US 20150178724 A1) discloses:  [0088] To conduct a cloud-based transaction, a user of portable communication device 101 may place portable communication device 101 in proximity to contactless reader 162 of access device 160, or display an image such as a QR code or bar code on a screen of portable communication device 101 for scanning by contactless reader 162 of access device 160. Portable communication device 101 may provide access device 160 with an identifier (e.g., an account identifier such as a PAN, an alternate account identifier such as an alternate PAN, or a token, etc.) to identify the account of the user and additional information such as the limited-use account parameters or information derived from the limited-use account parameters (e.g., transaction cryptograms generated from an LUK). For example, in some embodiments, an account identifier or token, and additional information (e.g., a transaction cryptogram, account parameters, etc.) can be transmitted to access device 160 in APDU responses that are responsive to a series of APDU commands received from access device 160. In some embodiments, an account identifier or token, and the additional information can be encoded in a QR code or bar code that is scanned and processed by access device 160 to retrieve the encoded information. Access device 160 or a merchant computer coupled to access device 160 may then generate an authorization request message including the account identifier or token, and additional information such as a transaction cryptogram and other transaction data, and forward the authorization request message to acquirer 174 associated with the merchant. The authorization request message can then be sent by acquirer 174 to payment processing network 194.


Varadarajan et al (US 20110276495 A1) discloses a method of using a one-time password for a transaction between a user and a merchant is disclosed. The method may include generating the one-time password. The method may also include authenticating the user by the authentication server in response to a request from the user to use the one-time password. The method may further include authorizing the use of the one-time password for the transaction in response to authenticating the user by the authentication server. The method may moreover include using the one-time password in combination with an account number to settle the transaction between the user and the merchant. The method may additionally include sending a message to the authentication server originating from the merchant, wherein the message comprises the one-time password, and wherein the message requests a determination whether the one-time password is authorized for use in the transaction. The method may also include sending a message to the merchant originating from the authentication server, wherein the message includes a determination whether the transaction should be approved in response to the authentication server determining whether the one-time password is authorized for use in the transaction. 

Wong et al (US 20150180836 A1) Techniques for enhancing the security of a communication device when conducting a transaction using the communication device may include using a limited-use key (LUK) to generate a transaction cryptogram, and sending a token instead of a real account identifier and the transaction cryptogram to an access device to conduct the transaction. The LUK may be associated with a set of one or more limited-use thresholds that limits usage of the LUK, and the transaction can be authorized based on at least whether usage of the LUK has exceeded the set of one or more limited-use thresholds.
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to MAMON OBEID whose telephone number is (571)270-1813.  The Examiner can normally be reached on 8 AM- 5 PM.
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, John W. Hayes can be reached on 5712726708.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MAMON OBEID/Primary Examiner, Art Unit 3685