DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 09/09/22 has been entered.
 
Acknowledgment
Applicant’s amendment filed on August 9, 2022 is acknowledged. Accordingly claims 1-20 remain pending and have been examined.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-10, 15-16 and 18-20, is/are rejected under 35 U.S.C. 103 as being unpatentable over Flurscheim et al (hereinafter “Flurscheim”) U.S. Patent No. 11,080,696 B2  in view of Prakash et al (hereinafter “Prakash”) U.S. Patent Application Publication No. 2017/0270528 A1 and/or Hammad U.S. Patent Application Publication No. 2011/0225094 A1]]]]

As per claim 1, Flurscheim discloses an intermediary server system for providing data for use in authenticating a transaction between the mobile device and a gateway, the server system comprising:
an input (see fig. 1 A and associated text);
an output (see fig. 1 A and associated text); and
a processor configured with instructions that when executed cause the processor to: 
receive, from the mobile device via the input, a dynamic transaction cryptogram and transaction data associated with the transaction, the dynamic transaction cryptogram being generated using a cryptographic key based on an application transaction counter that is unique to the transaction such that the dynamic transaction cryptogram uniquely identifies the transaction, the transaction data including data identifying a payment card used in the transaction, an expiry date of the payment card, and a card verification code of the payment card (col. 8, lines 1-14, which discloses that “At step S115A, the communication device 10 may initiate the transaction and also initiated a request for a token by transmitting the transaction data, including the transaction amount and the token reference identifier, to an application provider computer 40.”); 
generate a reference data request, the reference data request including a request for dynamic reference data associated with the dynamic transaction cryptogram, the reference data request further including the dynamic transaction cryptogram and the transaction data (col. 7, lines 57-67, which discloses that “The communication device 10 may also generate, request or retrieve a token reference identifier corresponding to the sensitive information. A mapping between the token reference identifier and a token representing the sensitive information may be stored by the token server 30, as described further herein.”); 
transmit, to a remote authentication server, the generated reference data request (col. 8, lines 15-22, which discloses that “At step S130A, the application provider computer 40 may transmit the token, transaction amount, transaction identifier, and/or other transaction data to a gateway computer 45.”);
in response to the reference data request, receive, from the remote authentication server, the dynamic reference data (col. 9, lines 31-39, which discloses that “At step S120B, the application provider computer 40 may send the token reference identifier and the transaction data to the token server 30, as well as request a verification value associated with the sensitive information (e.g., a CVN associated with a selected payment device).”); 
alter the received transaction data by replacing the expiry date of the payment card with the dynamic reference data (col. 11, lines 52—67, which discloses that “At step S376, the transaction processing computer 60 may replace the token with the sensitive information in the authorization request message, and forward the authorization request message to an authorizing entity computer 70 (e.g., an issuer) for authorization.”); and
transmit, to the gateway, the altered transaction data (col. 11, lines 52—67, which discloses that “At step S376, the transaction processing computer 60 may replace the token with the sensitive information in the authorization request message, and forward the authorization request message to an authorizing entity computer 70 (e.g., an issuer) for authorization.” Col. 21, lines 32-57, which discloses that “Life-cycle operations may include canceling a token, activating or deactivating a token, updating token attributes, renewing token with a new expiration date, etc.”).
Alternatively Prakash and /or Hammad discloses the intermediary server comprising:
alter the received transaction data by replacing the expiry date of the payment card with the dynamic reference data (Prakash: 0078, which discloses that “The mobile device may provide location information associated with its current position in relation to the request for the dynamic data (or replacement dynamic data).”; 0077; 0081; Hammad: 0097, which discloses that “Furthermore, replacing the CVV2 field and/or the expiration date with fake values makes it harder for the fraudsters to accurately determine how such fake values are obtained and if they are actually used in a payment transaction.”); and 
transmit, to the gateway, the altered transaction data (0097, which discloses that “Furthermore, replacing the CVV2 field and/or the expiration date with fake values makes it harder for the fraudsters to accurately determine how such fake values are obtained and if they are actually used in a payment transaction.”).
Accordingly it would have been obvious to one of ordinary skill in the art at time of applicant’s invention to modify the intermediary server system of Flurscheim and incorporate an intermediary server system further comprising: alter the received transaction data by replacing the expiry date of the payment card with the dynamic reference data in view of the teachings of Prakash and/or Hammad in order to enhance security of the transaction

As per claim 2, Flurscheim further discloses the intermediary server system, wherein the processor is configured to transmit to the remote authentication server, an indication that dynamic validation data should be provided by the remote authentication server, and to receive the dynamic validation data from the remote authentication server (see claim 1).

As per claim 3, , Flurscheim further and Hammad further discloses the intermediary server system, wherein the processor is configured to alter the received transaction data by replacing the card verification code with the dynamic validation data (col. 11, lines 52—67; Hammad 0097).

As per claim 4, Flurscheim further discloses the intermediary server system, wherein the dynamic reference data is randomly-generated (col. 4, lines 11-32).

As per claim 5, Flurscheim further discloses the intermediary server system, wherein the dynamic reference data is randomly-generated (col. 4, lines 11-32).

As per claim 6, Flurscheim further discloses the intermediary server system, wherein the dynamic reference data is randomly-generated (col. 4, lines 11-32).

As per claim 7, Flurscheim further discloses the intermediary server system, wherein the transaction comprises an online payment transaction and the gateway corresponds to an online payment gateway associated with a merchant (col. 20, lines 46-64). 

As per claim 8, Flurscheim further discloses the intermediary server system, wherein: the processor is configured to 
transmit to the remote authentication server, an indication that dynamic validation data should be provided by the remote authentication server, and to receive the dynamic validation data from the remote authentication server (see claim 1); and 
the transaction comprises an online payment transaction and the gateway corresponds to an online payment gateway associated with a merchant (col. 20, lines 46-64).

As per claim 9, Flurscheim further discloses the intermediary server system, wherein: 
the processor is configured to transmit to the remote authentication server, an indication that dynamic validation data should be provided by the remote authentication server, and to receive the dynamic validation data from the remote authentication server (col. 11, lines 52—67);
 the processor is configured to alter the received transaction data by replacing the card verification code with the dynamic validation data (col. 11, lines 52—67); and 
the transaction comprises an online payment transaction (col. 20, lines 46-64) and 
the gateway corresponds to an online payment gateway associated with a merchant (col. 20, lines 46-64) 

As per claim 10, Flurscheim further discloses the intermediary server system, wherein: 
the dynamic reference data is randomly-generated (col. 11, lines 52—67); 
the processor is configured to transmit to the remote authentication server, an indication that dynamic validation data should be provided by the remote authentication server, and to receive the dynamic validation data from the remote authentication server (col. 11, lines 52—67); 
the processor is configured to alter the received interaction data by replacing the card verification code with the dynamic validation data (col. 11, lines 52—67); and 
the transaction comprises an online payment transaction and the gateway corresponds to an online payment gateway associated with a merchant (col. 20, lines 46-64)

As per claim 15, Flurscheim discloses a server for generating data for authentication of a transaction carried out between a mobile device and a gateway, the server comprising:
a database (col. 17, line 35-col.18, lines 14, which discloses “storing this information in user database 903”); and
a processor configured with instructions that when executed cause the processor to: 
receive, from an intermediary server system associated with the mobile device and gateway, a reference data request, the reference data request including a request for dynamic reference data, the reference data request comprising a dynamic transaction cryptogram and first transaction data associated with the transaction, the dynamic transaction cryptogram being generated using a cryptographic key based on an application transaction counter that that is unique to the transaction such that the dynamic transaction cryptogram uniquely identifies the transaction, the first transaction data including data identifying a payment card used in the transaction and an expiry date of the payment card (col. 8, lines 1-14, which discloses that “At step S115A, the communication device 10 may initiate the transaction and also initiated a request for a token by transmitting the transaction data, including the transaction amount and the token reference identifier, to an application provider computer 40.”); 
store the dynamic transaction cryptogram and the first transaction data in the database;
generate, in response to the request, the dynamic reference data associated with the dynamic transaction cryptogram (col. 7, lines 57-67, which discloses that “The communication device 10 may also generate, request or retrieve a token reference identifier corresponding to the sensitive information. A mapping between the token reference identifier and a token representing the sensitive information may be stored by the token server 30, as described further herein.”); 
store, in the database, the generated dynamic reference data together with the received dynamic transaction cryptogram (col. 17, line 35-col.18, lines 14, which discloses that “In some embodiments, token request module 908 may also, in conjunction with processor 901, track which sensitive information or token is provided to a particular communication device by storing this information in user database 903.”); 
transmit, to the intermediary server system, the dynamic reference data (col. 8, lines 15-22, which discloses that “At step S130A, the application provider computer 40 may transmit the token, transaction amount, transaction identifier, and/or other transaction data to a gateway computer 45.”); 
receive, from a merchant, second transaction data, the second transaction data including the data identifying a payment card used in the transaction and the dynamic reference data (col. 9, lines 31-39, which discloses that “At step S120B, the application provider computer 40 may send the token reference identifier and the transaction data to the token server 30, as well as request a verification value associated with the sensitive information (e.g., a CVN associated with a selected payment device).”); 
extract the dynamic reference data from the second transaction data (col. 7, lines 57-67, which discloses that “The communication device 10 may also generate, request or retrieve a token reference identifier corresponding to the sensitive information. A mapping between the token reference identifier and a token representing the sensitive information may be stored by the token server 30, as described further herein.”); 
retrieve, from the database, the dynamic transaction cryptogram associated with the dynamic reference data (col. 7, lines 57-67, which discloses that “The communication device 10 may also generate, request or retrieve a token reference identifier corresponding to the sensitive information. A mapping between the token reference identifier and a token representing the sensitive information may be stored by the token server 30, as described further herein.”); 
insert the dynamic transaction cryptogram into the second transaction data; and validate the dynamic transaction cryptogram (col. 11, lines 52—67, which discloses that “At step S376, the transaction processing computer 60 may replace the token with the sensitive information in the authorization request message, and forward the authorization request message to an authorizing entity computer 70 (e.g., an issuer) for authorization.”).
Alternatively Prakash and /or Hammad discloses the intermediary server comprising:
insert the dynamic transaction cryptogram into the second transaction data; and validate the dynamic transaction cryptogram (Prakash: 0078, which discloses that “The mobile device may provide location information associated with its current position in relation to the request for the dynamic data (or replacement dynamic data).”; 0077; 0081; Hammad: 0097, which discloses that “Furthermore, replacing the CVV2 field and/or the expiration date with fake values makes it harder for the fraudsters to accurately determine how such fake values are obtained and if they are actually used in a payment transaction.”); and 
transmit, to the gateway, the altered transaction data (0097, which discloses that “Furthermore, replacing the CVV2 field and/or the expiration date with fake values makes it harder for the fraudsters to accurately determine how such fake values are obtained and if they are actually used in a payment transaction.”).
Accordingly it would have been obvious to one of ordinary skill in the art at time of applicant’s invention to modify the intermediary server system of Flurscheim and incorporate an intermediary server system further comprising: insert the dynamic transaction cryptogram into the second transaction data; and validate the dynamic transaction cryptogram in view of the teachings of Prakash and/or Hammad in order to enhance security of the transaction

As per claim 16, Flurscheim further discloses the server, wherein the processor is configured to associate a maximum storage validity period with the dynamic transaction cryptogram (col. 19, lines 47-67).

As per claim 18, Flurscheim further discloses the server, wherein the processor is further configured to determine whether the maximum storage validity period of the dynamic transaction cryptogram has been exceeded (col. 19, lines 47-67).

As per claim 19, Flurscheim further discloses the server, wherein the processor is further configured to retrieve from the database the first transaction data and compare the dynamic reference data with the  first transaction data (col. 8, lines 44-57).

As per claim 20, Flurscheim further discloses the server, wherein the first transaction data further comprises dynamic validation data, and wherein the processor is further configured to from the database retrieve the first transaction data and compare the dynamic validation data with the first transaction data (col. 8, lines 44-57)


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Charles C. Agwumezie whose number is (571) 272-6838. The examiner can normally be reached on Monday – Friday 8:00 am – 5:00 pm.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Hayes can be reached on (571) 272 – 6708.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/CHINEDU C AGWUMEZIE/Primary Examiner, Art Unit 3685                                                                                                                                                                                                        November 8, 2022