Detailed Action

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Acknowledgments
This submission filed on 15 September 2022 is acknowledged.

Status of Claims
Claims 21, 23-33 and 35-40 are pending. 
In the Amendment filed on 15 September 2022, claims 21, 33 and 35-37 were amended, claims 22 and 34 were cancelled, and no claims were added.
Claims 21, 23-33 and 35-40 are rejected.

Priority
Applicant’s claim for priority, including the claim for the benefit of a prior-filed application under 35 U.S.C. 119(e), is acknowledged. Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date under 35 U.S.C. 119(e) as follows:
The later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the ultimate parent or original nonprovisional application or provisional application). The disclosure of the invention in the parent application and in the later-filed application must be sufficient to comply with the requirements of 35 U.S.C. 112(a) or the first paragraph of pre-AIA  35 U.S.C. 112, except for the best mode requirement.  See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551, 32 USPQ2d 1077 (Fed. Cir. 1994)
The disclosure of the prior-filed provisional application, provisional Application No. 62/159,142, fails to provide adequate support or enablement in the manner provided by 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph, for claims 36-40 of this application. 
Claim 36, lines 16-19, recites "providing, to the remote server computer, a portion of the detailed device information for the portable device in response to a request from the remote server computer …." However, provisional Application No. 62/159,142 does not provide support for the providing of the (portion of the) detailed device information to the remote server computer being "in response to a request from the remote server computer." The portions of provisional Application No. 62/159,142 describing the subject matter closest to this step of "providing … a portion of the detailed device …" of claim 36 are understood to be paragraphs 0037 and 0068, and steps 203, 303 and 403 of Figures 2-4, respectively. These portions describe that PPN SDK 101B may access the external server computer 160 to allow the external server computer 160 to access and retrieve detailed portable consumer device information from the portable consumer device 101, but do not describe a request from external server computer 160 in this regard, let alone that the recited providing is in response to such request.
	Claims 37-40 lack support in provisional Application No. 62/159,142 insofar as they depend from claim 36.
	Accordingly, claims 36-40 are not entitled to the benefit of provisional Application No. 62/159,142.

Response to Arguments
Regarding the Objections to the Drawings, Specification and Claims
The objections to the drawings and specifications have been withdrawn in view of the amendments to the specification. The claim objections are withdrawn, but it is noted that, while corrections have been made, the claim amendments in question do not include the proper markings (the added periods are not underscored) and hence do not reflect the previous version of the claims and do not comply with 37 C.F.R. 1.121. As a courtesy to Applicant, the claim amendments in question have been entered. 
Regarding the Double Patenting Rejection
Applicant requests that the double patenting rejection be held in abeyance.
Regarding the Rejections under 35 U.S.C. 112
The claims rejections under 35 U.S.C. 112 in the previous Office Action have been withdrawn in view of the claim amendments.
Regarding the Rejection under 35 U.S.C. 101
Applicant's arguments have been fully considered but are not persuasive. 
Applicant argues:
The Applicant submits that generating a transaction message to request a portion of detailed device information, retrieve the portion of the detailed device information using an SDK of a device that includes operation system data for the portable device and application data for the portable device, and modifying an authentication request message to include the portion of detailed device information rises to the level of being foundational in the scientific or economic fields. (Response, p. 14)

In response, the Office disagrees with this assertion of Applicant. What Applicant here describes is a business process (generating a transaction message, requesting and retrieving  device information, modifying an authentication request message to include the device information), plus generic computer elements ("using an SDK"). This content is not "scientific or economic," let alone "foundational" in those fields. It will also be noted that not all of the content here cited by Applicant is actually claimed (e.g., "that includes operation system data for the portable device and application data for the portable device"); Applicant has apparently cut and pasted content from the last Office Action in the parent application.
Applicant further argues: 
Applicant also submits that the features of the claims are not directed to any of the enumerated examples of certain methods of organizing human activity. … To further illustrate the point, some of the enumerated examples for certain methods of organizing human activity include "using advertising as an exchange or currency," "processing a credit application between a customer and dealer, wherein the business relation is the relationship between the customer and the dealer during the vehicle purchase," and "a set of rules for playing a dice game." October Guidance, page 6. Yet none of these examples are similar to Applicant's claims which include …." (Response, p. 14, emphasis added)

In response, the Office points out that Applicant's argument is logically invalid. Applicant purports to conclude that the claims do not fall into a certain category because the claims are not similar to "some" of the examples of the category. Applicant's own argument thus concedes that it has considered only "some," not all, examples of the category. Such an argument, which is based on merely a portion, not all, of the data, logically cannot demonstrate the alleged negative conclusion. In addition, it is noted that the claims are characterized as "mitigating risk," which is one of the examples of the category in question. October 2019 Update: Subject Matter Eligibility, p. 5.
Applicant further argues: 
Based on the results of Prong 1, the Applicant submits that the additional elements of amended independent claim 21 should include more than just components recited at a high-level of generality. For example, amended independent claim 21 recites "receiving, by a server computer and from a portable device, an authentication request message for a transaction, the portable device configured to utilize a resource provider application and a processing network computer application, the transaction initiated utilizing the resource provider application of the portable device, and the authentication request message provided to the server computer by the portable device via the processing network computer application," "determining, by the server computer, that detailed device information is required to authenticate the transaction," "retrieving, by the server computer and from a rules database, privacy requirements for the transaction, the privacy requirements limiting the detailed device information retrieved by the server computer," "generating, by the server computer, a transaction message including an identifier, a request for the detailed device information, and the privacy requirements for the transaction," "retrieving, by the server computer, at least a portion of the detailed device information from a remote server computer using the identifier and based on the privacy requirements, the portion of the detailed device information obtained using an SDK of the portable device, the SDK of the portable device including an authentication SDK," "modifying, by the server computer, the authentication request message to include the at least the portion of the detailed device information," "sending, by the server computer, the modified authentication request message to an access control server computer," "receiving, by the server computer, an authentication response message from the access control server computer including a verification value for the transaction, wherein the verification value is generated based on a result of a risk analysis performed using the at least the portion of the detailed device information," "generating, by the server computer, an advice message indicating reasons for rejection for the transaction and including a risk score associated with the result of the risk analysis," ," [sic] and "transmitting, by the server computer and to the portable device and the resource provider application of the portable device, the advice message." These are features which are not typically associated with transaction processing systems. Furthermore, such features recite the practical application of modifying an authentication request message and transmitting the modified authentication request message to an access control server computer for performing authentication so that a risk analysis can be performed prior to authorizing the transaction or the generation of authorization messages has occurred. (Response, pp. 15-16, emphasis added)

In response, the Office points out that a significant portion of the claimed subject matter that forms the basis of Applicant's argument (specifically, the underlined content in the above-quoted portion of Applicant's argument) is not positively recited and hence is not entitled to full patentable weight. 
Regarding the Rejection under 35 U.S.C. 103
Applicant's arguments have been fully considered but are not persuasive.
Applicant presents the following arguments with respect to independent claim 21 (Response, pp. 18-20).
Applicant argues: 
Applicant respectfully submits that the cited references fail to disclose, teach, or suggest all the features of amended independent claim 21. For example, claim 21 recites, among other things, "retrieving, by the server computer, at least a portion of the detailed device information from a remote server computer using the identifier and based on the privacy requirements, the portion of the detailed device information obtained using an SDK of the portable device, the SDK of the portable device including an authentication SDK." However, Liu in view of Lindemann does not appear to disclose, teach, or suggest at least these elements. 
[1] The Office Action cites Liu as allegedly teaching or suggesting this feature prior to these amendments. Office Action, page 18. [2] The cited portions of Liu recite that "the payment application server computer may be configured to receive user device information for the user device associated with the transaction," and that "the user device may be configured to send device data as part of the checkout process." Liu, para. 81 [3] However, the cited portions of Liu are not the same as or suggestive of the amended features recited above. [4] For example, Liu is silent as to the server computer retrieving "the detailed device information" let alone that the specific detailed device information is obtained "using an SDK of the portable device, the SDK of the portable device including an authentication SDK." [5] As such, Liu fails to teach or suggest such amended features of the claims. [6] Lindemann was not cited as allegedly teaching or suggesting this feature and Applicant submits that Lindemann fails to remedy the deficiencies of Liu noted above. (Response, p. 19; numerals in square brackets added for reference)


The Office responds:
Regarding [1], the statement is incorrect: The previous Office Action cited Liu as teaching only a portion of the limitation in question, specifically, "retrieving, by the server computer, at least a portion of the detailed device information" (Office Action, p. 18). (Accordingly, [4] is misleading: Liu was not cited for the limitations involving the SDK.) The previous Office Action cited Lindeman as teaching "retrieving, by the server computer, at least a portion of the detailed device information from a remote server computer using the identifier and based on the privacy requirements" (Office Action, pp. 22-23). (Accordingly, [6] is also incorrect.) The previous Office Action cited Ulrich as teaching "retrieving, by the server computer, the detailed device information from a remote server computer using the identifier, the detailed device information obtained using an SDK of the portable device, wherein the SDK of the portable device includes an authentication SDK." (Office Action, pp. 31-32 (claim 22)). Applicant does not present any substantive argument against Lindeman or Ulrich in respect of this limitation.
Regarding [2],  the statement is misleading. Specifically, the Office Action quoted a specific portion of Liu 0081, namely, the last sentence thereof, in the rejection of this limitation, insofar as it was deemed taught by Liu (Office Action, p. 18, last sentence (step E)). However, Applicant does not address the portion of Liu 0081 quoted by the Office Action; instead, Applicant cites only different portions of Liu 0081, which were not specifically cited by the Office Action. 
	Accordingly, absent argument against the specific teaching of Liu cited, and absent argument against the other references cited for this limitation, Applicant's arguments against the rejection of this limitation are not persuasive.
Applicant further argues: 
[1] The claims have been further amended to recite "generating, by the server computer, an advice message indicating reasons for rejection for the transaction and including a risk score associated with the result of the risk analysis," and "transmitting, by the server computer and to the portable device and the resource provider application of the portable device, the advice message." [2] The Office Action cites Liu as allegedly teaching or suggesting these features prior to these amendments. Office Action, page 27. [3] The cited portions of Liu recite that "[t]he authorization response message may comply with ISO 8583...which may include reasons for denial." Liu, para. 106 further citing Bharghavan. [4] However, the cited portions of Liu are not the same as or suggestive of the amended features recited above. [5] For example, the reasons for denial in Liu are silent as to including "a risk score associated with the result of the risk analysis," and that the advice message is sent to "the resource provider application of the portable device," as recited in the amended claims. [6] As such, Liu fails to teach or suggest at least this amended feature as well. [7] Lindemann was not cited as allegedly teaching or suggesting this feature and Applicant submits that Lindemann fails to remedy the deficiencies of Liu noted above. (Response, p. 20; numerals in square brackets added for reference)

The Office responds:
Regarding [3], the statement is incomplete: The statement refers to the rejection of claim 34. However, the limitation in question is also taught at least in part by claim 30 and claim 36, steps (G) and (H). The previous Office Action also cited additional portions of Liu as teaching claim 30 and claim 36, steps (G) and (H), specifically, 0003; Fig. 4, 412, 0090, 0084; 0101, 0106-0107, 0114-0115, Fig. 4, 426/424; 0108, Fig. 4, 428, 0020. In the instant Office Action, Liu 0025, Fig. 5, 0046-0048, 0055-0057, are also cited as teaching this limitation. The recited "risk score" is taught by Liu's first or second risk score in the cited portions of Liu. (See rejection of claim 21 under 35 U.S.C. 103 hereinbelow.) The recited "resource provider application" is taught by Liu's payment application in the cited portions of Liu (see, e.g., 0025, Fig. 5, 0046-0048, 0055-0057, e.g., "The payment application 102B may communicate with the payment application server computer 104 to retrieve and return information during the processing of any of a number of services offered to the user via the user device 102 (e.g., conducting transactions performed using the user device 102)" (0048); "a merchant or payment application (e.g., digital wallet) may be provided with the result of these authentication processes" (0003)).
	Accordingly, Liu is deemed to teach the limitations in question.
	Further regarding [3], for clarification of the record, it is noted that Bharghavan is cited not as prior art but as defining a term (namely, "ISO 8583") in Liu. 
For independent claims 35 and 36 Applicant merely references the same arguments as were submitted for independent claim 21.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 21, 23-33 and 35-40 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-10 of U.S. Patent No. 11,074,585 (U.S. Application No. 15/572,770, parent of the instant application) in view of Liu et al. (U.S. Patent Application Publication No. 2014/0344155 A1), hereafter Liu; Lindemann et al. (U.S. Patent Application Publication No. 2014/0189791 A1), hereafter Lindemann; Ulrich et al. (U.S. Patent Application Publication No. 2014/0279112 A1), hereafter Ulrich; Mandava et al. (U.S. Patent Application Publication No. 2011/0191862), hereafter Mandava; Beelen et al. (U.S. Patent Application Publication No. 2016/0267476 A1), hereafter Beelen; Ranganathan (U.S. Patent Application Publication No. 2012/0209773 A1); Weller (U.S. Patent Application Publication No. 2010/0114776 A1), hereafter Weller; and Carlson et al. (U.S. Patent Application Publication No. 2014/0040137 A1), hereafter Carlson. Although the claims at issue are not identical, they are not patentably distinct from each other. Liu, Lindemann Ulrich, Mandava, Beelen, Ranganathan, Weller and Carlson teach the limitations not in the claims of U.S. Patent No. 11,074,585, as per the rejections under 35 U.S.C. 103 below. 
It would have been obvious to one of ordinary skill in the art not later than the effective filing date of the claimed invention to have modified the claims of U.S. Patent No. 11,074,585, by incorporating therein the pertinent teachings of the above-indicated references, because the combination is a matter of combining prior art elements according to known methods to yield predictable results, MPEP 2143 I.A.


Claim Rejections - 35 USC § 101 
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 21, 23-33 and 35-40 are rejected under 35 U.S.C. 101 because the claimed inventions are directed to abstract ideas without significantly more.
In the instant case, claims 21, 35 and 36 are directed to a method and system and computer-implemented method.
Claims 21, 35 and 36 are directed to the abstract idea of "mitigating risk or detecting fraud with respect to a transaction, by means of authentication based on risk analysis" which is grouped under "certain methods of organizing human activity," specifically, "fundamental economic practices or principles," "commercial or legal interactions" and/or "managing personal behavior or relationships or interactions between people" in prong one of step 2A (See 2019 Revised Patent Subject Matter Eligibility Guidance). Claims 21 and 35 recite "receiving … an authentication request message for a transaction, … the transaction initiated …, the authentication message provided …; determining … that detailed device information is required to authenticate the transaction; retrieving … privacy requirements for the transaction, the privacy requirements limiting the detailed device information retrieved …; generating … a transaction message including an identifier, a request for the detailed device information, and the privacy requirements for the transaction; retrieving … at least a portion of the detailed device information … using the identifier and based on the privacy requirements, the portion of the detailed device information obtained …; modifying … the authentication request message to include the at least the portion of the detailed device information; sending … the modified authentication request message …; receiving … an authentication response message … including a verification value for the transaction, wherein the verification value is generated based on a result of a risk analysis performed using the at least the portion of the detailed device information; generating … an advice message indicating reasons for rejection for the transaction and including a risk score associated with the result of the risk analysis; and transmitting … the advice message." Claim 36 recites similar or identical limitations. Accordingly, the claims recite an abstract idea (See 2019 Revised Patent Subject Matter Eligibility Guidance).
This judicial exception is not integrated into a practical application because, when analyzed under prong two of step 2A (See 2019 Revised Patent Subject Matter Eligibility Guidance), the additional elements of the claim, such as a "server computer," a "portable device," a "resource provider application," a "processing network computer application," a "rules database," a "remote server computer," an "access control server computer," a "processor," a " memory," an "authorizing computer, a "resource provider computer," and an "SDK of the portable device, the SDK of the portable device including an authentication SDK" represent the use of a computer as a tool to perform an abstract idea and/or do no more than generally link the abstract idea to a particular field of use. Therefore, the additional elements do not integrate the abstract idea into a practical application as they do no more than represent a computer performing functions that correspond to (i.e., automate or implement) the acts of mitigating risk or detecting fraud with respect to a transaction, by means of authentication based on risk analysis, specifically, as recited above.
When analyzed under step 2B (See 2019 Revised Patent Subject Matter Eligibility Guidance), the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception itself. Viewed as a whole, the combination of elements recited in the claims merely describes the concept of mitigating risk or detecting fraud with respect to a transaction, by means of authentication based on risk analysis, specifically, as recited above, using computer technology (e.g., processor). Therefore, the use of these additional elements does no more than employ a computer as a tool to automate and/or implement the abstract idea, which cannot provide significantly more than the abstract idea itself (MPEP 2106.05(I)(A),(f) & (h)). 
Hence, claims 21, 35 and 36 are not patent eligible.
Dependent claims 23-33 and 37-40 describe operations related to those of the abstract idea (claims 23-25, 30, 31, 33, 37, 39 and 40), generic computer elements (claims 23-25, 30, 31, 33, 37, 39 and 40), and/or characteristics of data (claims 26-29, 32, 37 and 38). Thus, the dependent claims further describe the abstract idea and the use of the processor or computer system to automate or implement the abstract idea. The dependent claims do not include additional elements that integrate the abstract idea into a practical application or that provide significantly more than the abstract idea. Therefore, the use of the computer in each step does no more than employ the computer as a tool to carry out functions corresponding to the acts performed in the abstract idea. Merely applying instructions by reciting the computing structure as a tool to implement the claimed limitations (see MPEP 2106.05(f)) or merely linking the use of the judicial exception to a particular technological environment or field of use (MPEP § 2106.05(h)), does not serve to provide significantly more than the abstract idea.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 21, 23-33 and 35-40 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

Unclear Scope 
Claims 21 and 35 recite "retrieving, by the server computer, at least a portion of the detailed device information from a remote server computer using the identifier and based on the privacy requirements, the portion of the detailed device information obtained using an SDK of the portable device, the SDK of the portable device including an authentication SDK"; claim 36 recites "providing, to the remote server computer, a portion of the detailed device information for the portable device in response to a request from the remote server computer using the identifier and based on the privacy requirements, the portion of the detailed device information obtained using an SDK of the portable device, the SDK of the portable device including an authentication SDK." The recited operation ("retrieving"; "providing") is (claims 21, 35), or is understood in view of the specification to be (claim 36), performed by a server computer, not by the portable device. Accordingly, it is not clear how the server obtains the device information using an SDK of the portable device, or it is not clear what entity is performing the obtaining. Accordingly, the scope of the claims is not clear.
An essential purpose of patent examination is to fashion claims that are precise, clear, correct, and unambiguous. Only in this way can uncertainties of claim scope be removed (See In re Zletz, 893 F.2d 319,321 (Fed. Cir. 1989)).
Claims 23-33 and 37-40 are rejected by virtue of their dependency from a rejected claim.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 21, 26, 27, 29-31, 33 and 35-37 are rejected under 35 U.S.C. 103 as being unpatentable over Liu et al. (U.S. Patent Application Publication No. 2014/0344155 A1), hereafter Liu, in view of Lindemann et al. (U.S. Patent Application Publication No. 2014/0189791 A1), hereafter Lindemann, and further in view of Ulrich et al. (U.S. Patent Application Publication No. 2014/0279112 A1), hereafter Ulrich.

Regarding Claims 21 and 35
Liu teaches:
(step A) receiving, by a server computer and from a portable device, an authentication request message for a transaction, the portable device configured to utilize a resource provider application (0025 e.g., interface on merchant website; 0079 e.g., internet browser application to access merchant website; 0078) and a processing network computer application (0078 e.g., payment application 102B; 0025; 0079), the transaction initiated utilizing the resource provider application of the portable device, and the authentication request message provided to the server computer by the portable device via the processing network computer application ("payment application 102B may provide … for user interaction (e.g., to … send payments)"); (Fig. 4, 402, 0078-0080, 0025)
(step B) determining, by the server computer, that detailed device information is required to authenticate the transaction; (0080 "payment application server computer 104 may want a risk analysis and a risk score associated the with user 102 device when the user initiates a checkout process for a transaction" -- hence, may determine that device information is required, inasmuch as risk analysis employs device information)
(step D) generating, by the server computer, a transaction message including … a request for the detailed device information …; (0081 "In other embodiments, some or all of this data [i.e., device data and transaction data] may be requested and/or retrieved by the payment application server computer 104.") 
(step E) retrieving, by the server computer, at least a portion of the detailed device information …; (0081 "In other embodiments, some or all of this data [i.e., device data and transaction data] may be requested and/or retrieved by the payment application server computer 104.")
(step F) modifying, by the server computer, the authentication request message to include the at least the portion of the detailed device information; (0082-0083 payment application server generates risk score request message including device information and transaction details; as the risk score request message includes transaction details, it is deemed a modification of the initial message 402 (authentication request message); alternatively, 0093, 0098, Fig. 4, 416/420 generating an authorization request message including device data is deemed "modifying … the authentication request message to include … the detailed device information")
(step G) sending, by the server computer, the modified authentication request message to an access control server computer; (0082-0083, Fig. 4, 404, 406 payment application server sends risk score request message including device information and transaction details to risk scoring system 106; alternatively, 0093, 0098, Fig. 4, 416/420, access control server taught by 108 or 110)
(step H) receiving, by the server computer, an authentication response message from the access control server computer including a verification value (first risk score) for the transaction, wherein the verification value is generated based on a result of a risk analysis performed using the at least the portion of the detailed device information. (Fig. 4, 412, 0090, 0084; alternatively, 0101, 0106-0107, 0114-0115, Fig. 4, 426/424 second risk score is "verification value," access control server taught by 108 or 110)
(step I) generating, by the server computer, an advice message indicating reasons for rejection for the transaction and including a risk score associated with the result of the risk analysis (first risk score); and (0070, 0106 authorization response message may comply with ISO 8583 (note: ISO 8583-compliant response message may include reasons for rejection, see e.g., Bharghavan et al. (U.S. Patent No. 10,043,182) 9:28-33, cited on attached Form PTO-892); Fig. 4, 412, 0090, 0084 first risk score; alternatively, 0101, 0106-0107, 0114-0115, Fig. 4, 426/424 second risk score)
(step J) transmitting, by the server computer and to the portable device and the resource provider application of the portable device (0020, 0025, Fig. 5, 0046-0048, 0055-0057, see also 0003), the advice message. (0108, Fig. 4, 428, see also 0003) (Note: see rejection of claim 30 below for motivation for combining Liu 0003 with other teachings of Liu.)
(claim 35) a processor; and a memory including instructions that, when executed with the processor, cause the server computer to, at least: (Fig. 6)
Although Liu teaches portions of steps D and E (see above), Liu does not explicitly disclose the following limitations in their entirety but Lindemann teaches:
(step C) retrieving, by the server computer and from a rules database (e.g., 720), privacy requirements for the transaction, the privacy requirements limiting the detailed device information retrieved by the server computer; 
-- 0091-0097, Figs. 12, 13: As per following step below, server sends query to client, the query including an attribute specifying which privacy classes of information should be retrieved. In order to send query including this privacy requirement, the server accesses and obtains (retrieves) the privacy requirement from storage (rules database), see also paragraphs 0035, 0044, 0046, 0059, 0064-0065, 0079  
-- Alternately: paragraphs 0056-0057: privacy requirement limits client authentication capabilities (authentication devices) (detailed device information) divulged to (retrieved by) server; 0042-0090: client enrolls, registers and uses authentication devices to perform authentication; 0035, 0042-0046, 0065, 0079: as part of this process, (e.g., symmetric) public and private keys are generated for a given authentication device (hence, particular set of private and public keys indicates particular authentication device), and the private key is stored in client 100 database 120, and the public key, as well as user/client information registration, are stored in server 130 database 120; 0097, Fig. 13, 1305: the server uses the device information received from the client to perform authentication in subsequent transactions with the client, such subsequent transactions involve accessing and retrieving the public key and/or user/client registration/ information stored in server database 120, the public key and/or user/client registration/information includes/ indicates the privacy requirements, e.g., indicates which of client's authentication devices are to be used (hence indicates the privacy requirements, inasmuch as the privacy requirements limit the client's authentication devices to be used, hence determine which client's authentication devices are to be used, as explained above)
(step D) generating, by the server computer, a transaction message including an identifier, a request for the detailed device information and the privacy requirements for the transaction; (0091-0097, Figs. 12, 13, 1301, 1302: server generates query requesting client device information, the query includes an attribute specifying which privacy classes of information should be retrieved (privacy requirements for the transaction) (see, e.g., 0094); as per 1302 the query is routed to client device -- in order for the query to successfully be routed to client device, the query must contain some identifier identifying the client device as the intended recipient)
(step E) retrieving, by the server computer, at least a portion of the detailed device information from a remote server computer using the identifier and based on the privacy requirements; (0091-0097, Figs. 12, 13, 1304: privacy management logic/module 1201 of secure transaction service 101 of client analyzes query received from server (see 1301, 1302 above), collects device information, based on the privacy requirements specified in the query, generates response containing the collected client device information, and sends the response to the server, note the response includes the device information as limited by (based on) the privacy requirements, note the response is received, i.e., the device information is retrieved, by the server, based on the query (request for device information) having been received by the client device, i.e., using the identifier; note 0103, 0104, Fig. 15, the computer system that Lindemann refers to as a client (Fig. 15) can also be a server, hence Lindemann teaches retrieving the device information from a server computer)
It would have been obvious to one of ordinary skill in the art not later than the effective filing date of the claimed invention to have modified Liu's systems and methods for more secure authentication of transactions, including generating risk scores based on user device information, by incorporating therein Lindemann's teachings pertaining to limiting device information provided to a server for authentication, based on privacy requirements, in order to permit authentication without a client having to provide all its device information, so as to protect users' privacy. See Lindemann, paragraphs 0023, 0056-0057, 0091. In addition, the combination in question is a matter of (A) Combining prior art elements according to known methods to yield predictable results; (C) Use of known technique to improve similar devices (methods, or products) in the same way; and (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable result. MPEP 2143.I.A., C., D.
Liu does not explicitly disclose but Ulrich teaches:
… the portion of the detailed device information obtained using an SDK of the portable device, the SDK of the portable device including an authentication SDK; (Abstract, 0005-0007, claims 4, 6, 15)
It would have been obvious to one of ordinary skill in the art not later than the effective filing date of the claimed invention to have modified Liu's systems and methods for more secure authentication of transactions, including generating risk scores based on user device information, by incorporating therein these teachings of Ulrich, in order to permit a party (e.g., merchant) to perform transaction authentication interacting with different entities using different devices and/or different software rather than requiring the party to continually use different equipment and/or software. See Ulrich, 0002-0004. In addition, the combination in question is a matter of (A) Combining prior art elements according to known methods to yield predictable results; (C) Use of known technique to improve similar devices (methods, or products) in the same way; and (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable result. MPEP 2143.I.A., C., D.

Regarding Claim 26
Liu in view of Lindemann and Ulrich teaches the limitations of base claim 21 as set forth above. Liu further teaches:
wherein the transaction message comprises user data, portable device data, and transaction data. (0081 "In other embodiments, the user device 102 may be configured to send device data as part of the checkout process. The data may include user device information …, user data …, transaction details ….")

Regarding Claim 27
Liu in view of Lindemann and Ulrich teaches the limitations of base claim 21 and intervening claim 26 as set forth above. Liu further teaches:
wherein the user data includes one or more of a name of a user, an address for the user, an email address for the user, or a phone number for the user. (0081)

Regarding Claim 29
Liu in view of Lindemann and Ulrich teaches the limitations of base claim 21 and intervening claim 26 as set forth above. Liu further teaches:
wherein the transaction data identifies item details included in the transaction, payment device data, and a payment account number of a user associated with the transaction. (0081)

Regarding Claim 30
Liu in view of Lindemann and Ulrich teaches the limitations of base claim 21 as set forth above. Liu further teaches:
transmitting the authentication response message and the verification value to a resource provider computer. (0003 merchant is provided with result of authentication process)
Note: This rejection involves combining different embodiments, as 0003 refers to teachings known in the prior art and not specifically to Liu's inventive teachings, which are cited for base claim 21. However, it would have been obvious to one of ordinary skill in the art not later than the effective filing date of the claimed invention to have combined these embodiments (combined this prior art with Liu's systems and methods for more secure authentication of transactions, including generating risk scores based on user device information), because such combination would render Liu more widely applicable, by reporting the authentication response not only to a user device but also to a merchant device, and because these prior art teachings may be deemed implicitly taught by Liu for this reason (i.e., because they would provide wider applicability) and also because Liu indicates that his invention adds to or builds on the prior art in this respect: 
These current methods are limited in that while a merchant or payment application (e.g., digital wallet) may be provided with the result of these authentication processes and decide to proceed or stop a transaction based on the result of an authentication process, not all parties to a transaction may be provided with same information. (0003; emphasis added)

-- Thus Liu aims to provide information to all parties, including merchants, who currently receive it; Liu does not intend to withhold from merchants information that, per the prior art, is already being provided to them. In addition, the combination in question is a matter of (A) Combining prior art elements according to known methods to yield predictable results; (C) Use of known technique to improve similar devices (methods, or products) in the same way; and (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable result. MPEP 2143.I.A., C., D.

Regarding Claim 31
Liu in view of Lindemann and Ulrich teaches the limitations of base claim 21 as set forth above. Lindemann further teaches:
wherein the server computer retrieves the privacy requirements based at least in part on a set of rules (privacy policies/preferences defined in terms of privacy classes) of the rules database. (0091-0097, Figs. 12, 13)

Regarding Claim 33
Liu in view of Lindemann and Ulrich teaches the limitations of base claim 21 as set forth above. Liu further teaches:
wherein the authentication request message (e.g., see Fig. 4 steps 416ff) is provided to the server computer in response to a user interacting with a checkout option (0078-0080, Fig. 4, 402) presented via the resource provider application (0025) of the portable device. (Fig. 4, 0078-0080, 0025)

Regarding Claim 36
Liu teaches:
(step A) receiving an indication of a transaction initiated with a resource provider application of a portable device (e.g., 0078 selecting an item for purchase), the portable device configured to utilize a resource provider application and a processing network computer application, the transaction initiated utilizing the resource provider application of the portable device; (Fig. 4, 402, 0078-0080, 0025)
(step B) generating an authentication request message (402) for the transaction; (Fig. 4, 402, 0078-0080, 0025)
(step C) providing, via the processing network computer application, the authentication request message to a directory server computer, the directory server computer configured to determine (0080) that detailed device information for the portable device is required to authenticate the transaction; (Fig. 4, 402, 0078-0080, 0025)
(step D) receiving, from the directory server computer, an indication that the detailed device information for the portable device is required to authenticate the transaction and an identifier; (0080-0081)
(step F) providing, to the remote server computer, a portion of the detailed device information for the portable device in response to a request from the remote server computer using the identifier …; (0081; alternatively, 0087, Fig. 4, 408)
(step G) receiving, from the directory server computer, an authentication response message that includes a verification value (first risk score) for the transaction, wherein the verification value is generated, by an access control server computer, based on a result of a risk analysis performed using the portion of the detailed device information, the access control server computer transmitting the verification value to the directory server computer; and (Fig. 4, 412, 0090, 0084; alternatively, 0101, 0106-0107, 0114-0115, Fig. 4, 426/424 second risk score is "verification value," access control server taught by 108 or 110)
(step G-1) the directory server computer configured to: generating an advice message indicating reasons for rejection for the transaction and including a risk score associated with the result of the risk analysis (first risk score); and (0070, 0106 authorization response message may comply with ISO 8583 (note: ISO 8583-compliant response message may include reasons for rejection, see e.g., Bharghavan et al. (U.S. Patent No. 10,043,182) 9:28-33, cited on attached Form PTO-892); Fig. 4, 412, 0090, 0084 first risk score; alternatively, 0101, 0106-0107, 0114-0115, Fig. 4, 426/424 second risk score)
(step G-2) transmitting, to the portable device and the resource provider application of the portable device (0020, 0025, Fig. 5, 0046-0048, 0055-0057, see also 0003), the advice message; (0108, Fig. 4, 428, see also 0003) (Note: see rejection of claim 30 above for motivation for combining Liu 0003 with other teachings of Liu.)
(step H) transmitting the authentication response message and the verification value to an authorizing computer to authorize the transaction for a resource provider computer (user device 102, which per 0020 can conduct transactions such as purchase goods/services, hence is resource provider computer). (0108, Fig. 4, 428, 0020, see also 0003) (Note: see rejection of claim 30 above for motivation for combining Liu 0003 with other teachings of Liu.)
Liu does not explicitly disclose in their entirety but Lindemann teaches:
(step E) accessing a rules database that identifies privacy requirements for the transaction, the privacy requirements limiting the detailed device information provided to a remote server computer; (0091-0097, Figs. 12, 13, see also 0035, 0044, 0046, 0059, 0064-0065, 0079; alternatively: 0056-0057, see also 0042-0090, 0035, 0042-0046, 0065, 0079, 0097, Fig. 13, 1305)
(step F) providing, to the remote server computer, a portion of the detailed device information for the portable device in response to a request from the remote server computer using the identifier and based on the privacy requirements; (0091-0097, Figs. 12, 13, see also 0035, 0044, 0046, 0059, 0064-0065, 0079; alternatively: 0056-0057, see also 0042-0090, 0035, 0042-0046, 0065, 0079, 0097, Fig. 13, 1305)
It would have been obvious to one of ordinary skill in the art not later than the effective filing date of the claimed invention to have modified Liu's systems and methods for more secure authentication of transactions, including generating risk scores based on user device information, by incorporating therein Lindemann's teachings pertaining to limiting device information provided to a server for authentication, based on privacy requirements, in order to permit authentication without a client having to provide all its device information, so as to protect users' privacy. See Lindemann, paragraphs 0023, 0056-0057, 0091. 
Liu does not explicitly disclose but Ulrich teaches:
… the portion of the detailed device information obtained using an SDK of the portable device, the SDK of the portable device including an authentication SDK; (Abstract, 0005-0007, claims 4, 6, 15)
It would have been obvious to one of ordinary skill in the art not later than the effective filing date of the claimed invention to have modified Liu's systems and methods for more secure authentication of transactions, including generating risk scores based on user device information, by incorporating therein these teachings of Ulrich, in order to permit a party (e.g., merchant) to perform transaction authentication interacting with different entities using different devices and/or different software rather than requiring the party to continually use different equipment and/or software. See Ulrich, 0002-0004. In addition, the combination in question is a matter of (A) Combining prior art elements according to known methods to yield predictable results; (C) Use of known technique to improve similar devices (methods, or products) in the same way; and (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable result. MPEP 2143.I.A., C., D.

Regarding Claim 37
Liu in view of Lindemann and Ulrich teaches the limitations of base claim 36 as set forth above. Liu further teaches:
wherein the transaction is a request to access data from the resource provider computer. (0078-0081 e.g., interaction may be user browsing items or attempting to access content)

Claim 23 is rejected under 35 U.S.C. 103 as being unpatentable over Liu et al. (U.S. Patent Application Publication No. 2014/0344155 A1), hereafter Liu, in view of Lindemann et al. (U.S. Patent Application Publication No. 2014/0189791 A1), hereafter Lindemann, further in view of Ulrich et al. (U.S. Patent Application Publication No. 2014/0279112 A1), hereafter Ulrich, and further in view of Mandava et al. (U.S. Patent Application Publication No. 2011/0191862), hereafter Mandava.

Regarding Claim 23
Liu in view of Lindemann and Ulrich teaches the limitations of base claim 21 as set forth above. Liu in view of Lindemann and Ulrich does not explicitly disclose but Mandava teaches:
 wherein the rules database limits the detailed device information retrieved by the server computer based at least in part on a geographic location associated with the portable device. (Abstract, Figs. 1-3, 0013-0018)
It would have been obvious to one of ordinary skill in the art not later than the effective filing date of the claimed invention to have modified Liu's systems and methods for more secure authentication of transactions, including generating risk scores based on user device information, by incorporating therein these teachings of Mandava pertaining to limiting device information collected based on the privacy laws/rules/policies/ etc. in force any given geographic jurisdiction, in order to comply with the privacy laws/rules/policies/etc. of the jurisdiction in which the collection of device data is being carried out. See Mandava, 0006, 0013-0018, Khanwalkar (Provisional Application No. 62/063,567; copy enclosed with this Office Action), 0031. In addition, the combination in question is a matter of (A) Combining prior art elements according to known methods to yield predictable results; (C) Use of known technique to improve similar devices (methods, or products) in the same way; and (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable result. MPEP 2143.I.A., C., D.
Claims 24, 25 and 40 are rejected under 35 U.S.C. 103 as being unpatentable over Liu et al. (U.S. Patent Application Publication No. 2014/0344155 A1), hereafter Liu, in view of Lindemann et al. (U.S. Patent Application Publication No. 2014/0189791 A1), hereafter Lindemann, further in view of Ulrich et al. (U.S. Patent Application Publication No. 2014/0279112 A1), hereafter Ulrich, and further in view of Beelen et al. (U.S. Patent Application Publication No. 2016/0267476 A1), hereafter Beelen.

Regarding Claim 24
Liu in view of Lindemann and Ulrich teaches the limitations of base claim 21 as set forth above. Liu in view of Lindemann and Ulrich does not explicitly disclose but Beelen teaches:
generating, by the server computer, a session identifier for the transaction. (0136-0141)
It would have been obvious to one of ordinary skill in the art not later than the effective filing date of the claimed invention to have modified Liu's systems and methods for more secure authentication of transactions, including generating risk scores based on user device information, by incorporating therein these teachings of Beelen pertaining to the use of a session id, in order to further strengthen authentication and thereby further improve security. See Beelen, 0002-0004, 0020-0021, Liu, 0002-0004. In addition, the combination in question is a matter of (A) Combining prior art elements according to known methods to yield predictable results; (C) Use of known technique to improve similar devices (methods, or products) in the same way; and (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable result. MPEP 2143.I.A., C., D.

Regarding Claim 25
Liu in view of Lindemann, Ulrich and Beelen teaches the limitations of base claim 21 and intervening claim 24 as set forth above. Beelen further teaches:
wherein the session identifier is stored by the server computer. (0136-0141)

Regarding Claim 40
Liu in view of Lindemann and Ulrich teaches the limitations of base claim 36 as set forth above. Liu in view of Lindemann and Ulrich does not explicitly disclose but Beelen teaches:
generating, by the server computer, a session identifier for the transaction, wherein the session identifier includes a time stamp (0140) that corresponds to the transaction (0136-0141)

Claim 28 is rejected under 35 U.S.C. 103 as being unpatentable over Liu et al. (U.S. Patent Application Publication No. 2014/0344155 A1), hereafter Liu, in view of Lindemann et al. (U.S. Patent Application Publication No. 2014/0189791 A1), hereafter Lindemann, further in view of Ulrich et al. (U.S. Patent Application Publication No. 2014/0279112 A1), hereafter Ulrich, and further in view of Ranganathan (U.S. Patent Application Publication No. 2012/0209773 A1).

Regarding Claim 28
Liu in view of Lindemann and Ulrich teaches the limitations of base claim 21 and intervening claim 26 as set forth above. 
Liu further teaches:
wherein the portable device data identifies a type of device for the portable device (0034), … and a device identifier for the portable device (0034, 0081). 
Liu in view of Lindemann and Ulrich does not explicitly disclose but Ranganathan teaches:
… screen resolution for the portable device …. (0037)
It would have been obvious to one of ordinary skill in the art not later than the effective filing date of the claimed invention to have modified Liu's systems and methods for more secure authentication of transactions, including generating risk scores based on user device information, by incorporating therein these teachings of Ranganathan pertaining to collecting screen resolution as device data for authentication/fraud prevention, because this is a variable/datum known to be useful/ result-effective for authenticating, determining (fraud) risk, etc. and so it would be usefully employed to strengthen authentication/fraud prevention, and thereby provide/improve security. See Ranganathan, 0006, 0037, Liu, 0002-0004. In addition, the combination in question is a matter of (A) Combining prior art elements according to known methods to yield predictable results; (C) Use of known technique to improve similar devices (methods, or products) in the same way; and (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable result. MPEP 2143.I.A., C., D.

Claim 32 is rejected under 35 U.S.C. 103 as being unpatentable over Liu et al. (U.S. Patent Application Publication No. 2014/0344155 A1), hereafter Liu, in view of Lindemann et al. (U.S. Patent Application Publication No. 2014/0189791 A1), hereafter Lindemann, further in view of Ulrich et al. (U.S. Patent Application Publication No. 2014/0279112 A1), hereafter Ulrich, further in view of Weller  (U.S. Patent Application Publication No. 2010/0114776 A1), hereafter Weller, and further in view of Ranganathan (U.S. Patent Application Publication No. 2012/0209773 A1).

Regarding Claim 32
Liu in view of Lindemann and Ulrich teaches the limitations of base claim 21 as set forth above. Liu further teaches:
wherein the detailed portable device information includes browser data, geo-location data, … of the portable device. (0081)
Liu in view of Lindemann and Ulrich does not explicitly disclose but Weller teaches:
… language data, … (0009, 0034)
It would have been obvious to one of ordinary skill in the art not later than the effective filing date of the claimed invention to have modified Liu's systems and methods for more secure authentication of transactions, including generating risk scores based on user device information, by incorporating therein these teachings of Weller pertaining to collecting language data as device data for authentication/fraud prevention, because this is a variable/datum known to be useful/result-effective for authenticating, determining (fraud) risk, etc. and so it would be usefully employed to strengthen authentication/fraud prevention, and thereby provide/improve security. See Weller, 0009, 0034, Liu, 0002-0004. In addition, the combination in question is a matter of (A) Combining prior art elements according to known methods to yield predictable results; (C) Use of known technique to improve similar devices (methods, or products) in the same way; and (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable result. MPEP 2143.I.A., C., D.
Liu in view of Lindemann and Ulrich does not explicitly disclose but Ranganathan teaches:
… cookies options …. (0037, 0038, 0057, 0066)
It would have been obvious to one of ordinary skill in the art not later than the effective filing date of the claimed invention to have modified Liu's systems and methods for more secure authentication of transactions, including generating risk scores based on user device information, by incorporating therein these teachings of Ranganathan pertaining to collecting cookie information as device data for authentication/fraud prevention, because this is a variable/datum known to be useful/result-effective for authenticating, determining (fraud) risk, etc. and so it would be usefully employed to strengthen authentication/fraud prevention, and thereby provide/improve security. See Ranganathan, 0006, 0037, Liu, 0002-0004. In addition, the combination in question is a matter of (A) Combining prior art elements according to known methods to yield predictable results; (C) Use of known technique to improve similar devices (methods, or products) in the same way; and (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable result. MPEP 2143.I.A., C., D.

Claim 38 is rejected under 35 U.S.C. 103 as being unpatentable over Liu et al. (U.S. Patent Application Publication No. 2014/0344155 A1), hereafter Liu, in view of Lindemann et al. (U.S. Patent Application Publication No. 2014/0189791 A1), hereafter Lindemann, further in view of Ulrich et al. (U.S. Patent Application Publication No. 2014/0279112 A1), hereafter Ulrich, and further in view of Weller et al. (U.S. Patent Application Publication No. 2010/0114776 A1, hereafter Weller.

Regarding Claim 38
Liu in view of Lindemann and Ulrich teaches the limitations of base claim 36 as set forth above. Liu further teaches:
wherein the detailed device information further includes network browser data for the portable device, mobile application data for the portable device, geo-location data for the portable device, internet protocol address information for the portable device, … for the portable device. (0034, 0081) 
Liu in view of Lindemann and Ulrich does not explicitly disclose but Weller teaches:
… language data, … (0009, 0034)
It would have been obvious to one of ordinary skill in the art not later than the effective filing date of the claimed invention to have modified Liu with Weller as per claim 32 above. 

Claim 39 is rejected under 35 U.S.C. 103 as being unpatentable over Liu et al. (U.S. Patent Application Publication No. 2014/0344155 A1), hereafter Liu, in view of Lindemann et al. (U.S. Patent Application Publication No. 2014/0189791 A1), hereafter Lindemann, further in view of Ulrich et al. (U.S. Patent Application Publication No. 2014/0279112 A1), hereafter Ulrich, and further in view of Carlson et al. (U.S. Patent Application Publication No. 2014/0040137 A1), hereafter Carlson.

Regarding Claim 39
Liu in view of Lindemann and Ulrich teaches the limitations of base claim 36 as set forth above. 
Liu in view of Lindemann and Ulrich does not explicitly disclose but Carlson teaches:
generating an offer associated with the transaction; and providing the offer for presentation to the portable device prior to completion of the transaction. (0084, 0088: offer associated with transaction is generated and provided for presentation on access device (e.g., by email, SMS, MMS) at step 704 (see 0083), before completion of transaction at step 705 (0088))
It would have been obvious to one of ordinary skill in the art not later than the effective filing date of the claimed invention to have modified Liu's systems and methods for more secure authentication of transactions, including generating risk scores based on user device information, by incorporating therein Carlson's teachings of providing an offer associated with a transaction, in order to provide additional benefits to users while taking advantage of information already accessed for the purpose of fraud prevention (hence at little to no expenditure of additional costs/resources to the parties involved). See Carlson, 0084, 0053, 0065. In addition, the combination in question is a matter of (A) Combining prior art elements according to known methods to yield predictable results; (C) Use of known technique to improve similar devices (methods, or products) in the same way; and (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable result. MPEP 2143.I.A., C., D.
Conclusion
The prior art made of record and not relied upon, as set forth in the accompanying Notice of References Cited (PTO-892), is considered pertinent to applicant's disclosure. Among the cited references, Khanwalkar (Provisional Application No. 62/063,567 at 0031) teaches limiting device information collected based on the privacy laws in force in any given geographic jurisdiction, in order to comply with the privacy laws of the jurisdiction in which the collection of device data is being carried out.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DOUGLAS W PINSKY whose telephone number is (571)272-4131.  The examiner can normally be reached on 8:30 am - 5:30 pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Calvin Hewitt II can be reached on 571-272-6709.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or 
access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/DWP/
Examiner, Art Unit 3962

/DANIEL S FELTEN/Primary Examiner, Art Unit 3692