DETAILED ACTION
Acknowledgements
This Office Action is in reply to Applicant’s response filed 09 Nov. 2022 (“Response”).  
Claims 1–7, 9, 11–22 are currently pending and have been examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The Information Disclosure Statement filed 09 August 2022 has been considered. An initialed copy of the Form 1449 is enclosed herewith.
Claim Rejections - 35 U.S.C. § 112(b)
The following is a quotation of 35 U.S.C. § 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 1–7, 9, and 11–12 are rejected under 35 U.S.C. § 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claim 1 recites the limitation “the message” in line 10 and again in line 11. There is insufficient antecedent basis for this limitation(s) in the claim.
Dependent claims 2–7, 9, and 11–12 fail to cure this deficiency of independent claim 1 (set forth directly above) and are rejected accordingly.
Claim Rejections - 35 U.S.C. § 103
The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 3–7, 9, 11, 13–14, 16–18, and 20–22 are rejected under 35 U.S.C. § 103 as being unpatentable over Girish et al. (US 2019/0020478 A1) (“Girish”), in view of Daetz (US 2018/0197174 A1).
As per claim 1, Girish discloses a computer implemented method for providing authentication for secure transactions in a multi-server system (fig. 1), the method comprising:
receiving, at an authentication server from a requestor server, a first request for a cryptogram, the first request being associated with a transaction and including a requestor identifier ([0124] [0043] [0093]);
in response to receiving the first request, generating the cryptogram ([0124] [0093]–[0094] [0114]);
sending, from the authentication server, the cryptogram to the requestor server ([0124]);
receiving, at the authentication server from a merchant server, the cryptogram, a payment token, [and] a unique merchant identifier
validating, by the authentication server, the cryptogram ([0115] [0044]–[0045]);
comparing, by the authentication server, the unique merchant identifier 
authorizing, by the authentication server, the transaction when there is a match ([0115] [0044]–[0045] [0055] [0138]).
As indicated by strike-throughs above, Girish does not expressly disclose receiving a merchant secret and comparing the merchant secret to a merchant secret stored in the database, wherein the first field is designated for an expiration date and the merchant secret is included in a second field of the message designated for a card verification code.
Daetz teaches receiving a unique merchant identifier and a merchant secret in an authorization request, wherein the unique merchant identifier is included in a first field of the message and the merchant secret is included in a second field of the message ([0023]–[0025]), similar to the receiving of the cryptogram, a payment token, [and] a unique merchant identifier of Girish.
Since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself – that is in the substitution of the unique merchant identifier and merchant secret pair of Daetz for the unique merchant identifier of Girish. Thus, the simple substitution of one known element for another, producing predictable results, renders the claim obvious.
Furthermore, when combining Girish and Daetz, as proposed above, one of ordinary skill in this art would understand the combination to teach a comparison of the substituted pair of values, since Girish teaches a comparison of the single ID, and the pair (ID/secret) is being substituted for the single ID.
Regarding the limitations of the first and second fields, i.e., “designated for an expiration date” and “designated for a card verification code,” respectively, these limitations represent a nonfunctional description of the fields, at least because they do not affect the “receiving” step or performance of any other positively recited step, and are therefore not given patentable weight. Alternatively, for at least independent claim 1, the expiration date and CVV for the pseudo-pan of Daetz may also read on the limitations of the newly added “wherein” clause.
As per claim 3, Girish and Daetz teach the computer implemented method of claim 1, wherein the method further comprises receiving, at the authentication server from the requestor server, an amount (Girish, [0054]); and wherein the cryptogram validation includes a validation of the amount received from the requestor server (Girish, [0115]).
As per claim 4, Girish and Daetz teach the computer implemented method of claim 1, further comprising: receiving, at the merchant server from the requestor server, the cryptogram, the payment token, and the unique merchant identifier; and sending, from the merchant server to the authentication server, the cryptogram, the payment token, the unique merchant identifier, and the merchant secret (Girish, [0134]–[0136] [0044] [0091]).
As per claim 5, Girish and Daetz teach the computer implemented method of claim 1, further comprising: receiving, at the requestor server from the authentication server, the cryptogram; and sending, from the requestor server to the merchant server, the cryptogram, the payment token, and the unique merchant identifier (Girish, [0134]–[0136] [0044] [0091]).
As per claim 6, Girish and Daetz teach the computer implemented method of claim 1, wherein the cryptogram is a dynamic cryptogram (Girish, [0044]).
As per claim 7, Girish and Daetz teach the computer implemented method of claim 1, wherein the unique merchant identifier is a 4 character code (Daetz, [0023]).
As per claim 9, Girish and Daetz teach the computer implemented method of claim 1, wherein the merchant secret is a 3 character code (Daetz, [0023]).
As per claim 11, Girish and Daetz teach the computer implemented method of claim 1, wherein the requestor identifier is a Token Requestor Identifier (Girish, [0047]).
Claims 13–14, 16–18, and 20–22 contain language similar to claims 1, 3–7, 9, and 11 as discussed in the preceding paragraphs, and for reasons similar to those discussed above, claims 13–14, 16–18, and 20–22 are also rejected under 35 U.S.C. § 103 as being unpatentable over the cited references. Specifically, regarding claims 13–14, one of ordinary skill in the art would understand that pseudo PAN of Daetz is designed for placement in field normally occupied by PAN, thereby meeting claimed “wherein one of the unique merchant identifier and the merchant secret is included in a field of the message designated for other data.”
Claims 2, 12, 15, and 19 are rejected under 35 U.S.C. § 103 as being unpatentable over Girish and Daetz, in view of Official Notice.
As per claim 2, Girish and Daetz teach the computer implemented method of claim 1, further comprising: generating, by the authentication server, the merchant secret and the unique merchant identifier, in response to receiving a second request from the requestor server prior to receiving the first request from the requestor server; storing the merchant secret and the unique merchant identifier in the database in association with one another; sending, from the authentication server to the requestor server, the unique merchant identifier; and sending, from the authentication server to the merchant server 
Although Girish/Daetz does not teach the “via a secure channel,” the Examiner takes Official Notice that transmission via a secure channel is old and well-known in this art to prevent loss of sensitive data during transmission.
Therefore, it would have been obvious to a person having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Girish/Daetz to use a secure channel for communicating the merchant secret. One would have been motivated to do so in order to protect the secret from loss.
As per claim 12, Girish/Daetz/Official Notice teach the computer implemented method of claim 2, wherein the second request is an enrollment request (Girish, [0091]; Daetz, [0023]–[0025]).
Claims 15 and 19 contain language similar to claim 2 as discussed in the preceding paragraphs, and for reasons similar to those discussed above, claims 15 and 19 are also rejected under 35 U.S.C. § 103 as being unpatentable over the cited references.
Response to Arguments
Applicant argues
At ¶0023, Daetz discloses a merchant ID, and a terminal ID, and then also, the “code engine 122 then assigns a merchant-specific code (e.g., a partial PAN, etc.) to the merchant 102 for use herein (in all transaction code-based transactions), along with a CVC and an expiration date for/specific to the merchant-specific code.” Logically, from Daetz, for a transaction using the merchant-specific code, the CVC is included in the CVC field of a transaction message, while the expiration date is included in an expiration date field of the message. Consequently, then, Daetz as cited fails to disclose or suggest receiving a message with data included in a field not designated for that field. Particularly, as recited in Claim 1, Daetz at ¶0023 does not disclose or suggest a unique merchant identifier being included in a field designated for an expiration date and a merchant secret being included in a field designated for a card verification code. Rather, in Daetz, the merchant-specific code, and associated card verification code, and expiration date are use as is conventional. Daetz does not suggest otherwise.
Response 9 (emphasis in original).
The Examiner respectfully disagrees. The CVC and expiration date mentioned in paragraph [0023] of Daetz are specific to the merchant-specific code, and therefore specific to the merchant itself. Furthermore, these data elements are included in fields designated for an actual CVC and expiration date of a credit card. Therefore, the CVC and expiration date may read on the merchant ID and merchant secret claimed. Furthermore, for claims 13 and 14, the merchant ID and merchant-specific code of Daetz are understood to reside in fields, at least one (i.e., the merchant-specific code) is also understood to reside in a field designated for other data (e.g., a PAN), and therefore these elements may read on the merchant ID and secret claimed. Furthermore, for each independent claim the merchant ID and merchant-specific code of Daetz may read on the merchant ID and secret claimed, since inclusion in any particular field of a message would not result in a functional relationship with the computer that performs claimed “receiving,” and therefore use of a particularly labeled field means only something to the human mind and is not given patentable weight. 
Conclusion
Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB C. COPPOLA whose telephone number is (571)270-3922. The examiner can normally be reached Monday-Friday 8:00-6:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patrick McAtee can be reached on (571) 272-7575. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JACOB C. COPPOLA/Primary Examiner, Art Unit 3685