SYSTEMS AND METHODS FOR AUTHENTICATING ONLINE USERS IN REGULATED ENVIRONMENTS

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of the Application Claims 1-3, 6, 8-10, 12-13, 15-17, and 19 have been examined in this application. The filling date of this application number recited above is 21-June-2019. Domestic Benefit/National Stage priority has been claimed for 62/688,528, 62/688,529, 62/688546, and 62/688,532 in the Application Data Sheet, thus the examination will be undertaken in consideration of 22-June-2018, as the priority date, for applicable claims. No additional information disclosure statement (IDS) has been filed to date. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-3, 6, 8-10, 12-13, 15-17, and 19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. The Claims are directed to an abstract idea, Methods of Organizing Human Activity. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional computer elements, which are recited at a high level of generality, provide conventional computer functions that do not add meaningful limits to practicing the abstract idea. As per Claims 1, 8, and 15, the claim recites “a … method implemented on an authentication [entity] that comprises a database storing historical transaction data for all transactions previously processed by a payment processing [entity], a directory [group] in communication with the database and including at least one [worker], and a risk-based authentication (RBA) [group] operated by the payment processing [entity] and in communication with the directory [group] and the database, the authentication [entity] communicatively coupled between a plurality of merchant and acquirer … and a plurality of issuer …, wherein a subset of the issuer … are each associated with a respective [intermediary], the method comprising: receiving, at the RBA [group] from the directory [group], authentication data extracted by the directory [group] from an authentication request message associated with a transaction; building, at the RBA [group], a … model using the historical transaction data for all transactions previously processed by the by the payment processing [entity], wherein the model is [used] to associate elements of the historical authentication data with successful or unsuccessful authentication outcomes; performing, at the RBA [group], RBA using the authentication data associated with that transaction, by inputting the authentication data into the … model, to generate a risk score for that transaction; selectively transmitting the risk score from the RBA [group] to the directory [group]; embedding, using the directory [group], the risk score into the authentication request message to generate an enhanced authentication request message, wherein embedding the risk score comprises appending the risk score to the authentication request message as … [modified] language … such that the enhanced authentication request message includes the risk score generated by the RBA [group]; and transmitting the enhanced authentication request message from the directory [group] (i) a first [intermediary] to enable the first [intermediary] to make an authentication decision using the risk score generated by the RBA performed at the RBA [group] without the [intermediary] performing RBA for the transaction, or (ii) a merchant or acquirer …, bypassing any [intermediary], to enable the merchant or acquirer … to proceed with authorization of the transaction.” The limitation of the claims recited above, considering the claims without the additional elements (e.g. system, processor, etc.), under its broadest reasonable interpretation (BRI), recites Certain Methods of Organizing Human Activity, specifically under fundamental economic principles or practices and/or commercial or legal interactions. The method recited above is a process of performing authentications or verifications on transactions to provide risk scores, building a model using historical transaction data, transmitting messages regarding transaction authentication, performing authentication, and transmitting the transaction authentication request to different entities. This recited process is to mitigate the risk of processing fraudulent transactions, and allows the customer to see visuals of the risk levels associated with transactions, as disclosed by Specification: [00168] “FIG. 12 is a flow diagram of an advanced authentication process 1200 for increasing approvals, reducing fraud, and improving consumer experience”, wherein risk mitigation is a fundamental economic principle or practice, a certain method of organized human activity. Additionally, the process involves various interactions with respect to the transaction to receive and transmit data or information, analyze the information, and authenticate information, which is a commercial or legal interaction, also under certain method of organized human activity. Therefore, the claims recite an abstract idea. This judicial exception is not integrated into practical application. In particular, the claims recite an additional element of “authentication platform”, “computing devices”, “access control server (ACS)”, “database”, “memory device”, “processor”, “directory server”, “RBA engine”, and “non-transitory computer-readable storage media” to perform the method recited above by instructing the abstract idea to be performed “by” these generic computer components. These general computer components are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer system, as disclosed by Specification: [0063] “As used herein, a processor may include any programmable system including systems using micro-controllers, reduced instruction set circuits (RISC), application specific integrated circuits (ASICs), logic circuits, and any other circuit or processor capable of executing the functions described herein”; [0064] “As used herein, the term "database" may refer to either a body of data, a relational database management system (RDBMS), or to both. As used herein, a database may include any collection of data including hierarchical databases, relational databases, flat file databases, object-relational databases, object oriented databases, and any other structured collection of records or data that is stored in a computer system”; [0065] “In one embodiment, a computer program is provided, and the program is embodied on a computer readable medium … The application is flexible and designed to run in various different environments without compromising any major functionality … One or more components may be in the form of computer-executable instructions embodied in a computer-readable medium”; [0067] “As used herein, the terms "software" and "firmware" are interchangeable, and include any computer program stored in memory for execution by a processor, including RAM memory, ROM memory, EPROM memory, EEPROM memory, and non-volatile RAM (NVRAM) memory”. The claims merely recite generic functions to be performed by these generic computer components, such as: receive data, extract data, compare data, and transmit data, which are mere instructions to implement an abstract idea on a generic computer system. Merely using the generic computer system as a tool to perform an abstract idea (i.e. mere “apply it”) is not indicative of integration into a practical application (e.g. using a processor to receive, transmit, update data, etc.); see MPEP 2106.05(f). Use of a computer or other machinery in its ordinary capacity for economic or other tasks (e.g., to receive, transmit, update, or display data) or simply adding a general purpose computer or computer components after the fact to an abstract idea (e.g., certain methods of organizing human activities) does not integrate a judicial exception into a practical application or provide significantly more. See Affinity Labs v. DirecTV, 838 F.3d 1253, 1262, 120 USPQ2d 1201, 1207 (Fed. Cir. 2016) (cellular telephone); TLI Communications LLC v. AV Auto, LLC, 823 F.3d 607, 613, 118 USPQ2d 1744, 1748 (Fed. Cir. 2016) (computer server and telephone unit). Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims also recite additional elements associated with a “machine learning model”, which is built and trained with historical transaction data, and used to provide a risk score. The machine learning model is merely applied as a “black-box” application, wherein the model is given an input (i.e. authentication data) to provide an output (i.e. risk score), without providing the technological details or specific technical steps on how the machine learning model is used, built, and trained. Therefore, as similarly discussed above, this additional element is mere “apply it”, which is not indicative of integration into a practical application. The claims recite additional elements associated with the ACS, such as “selectively transmit the enhanced authentication request message to (i) a first ACS to enable the first ACS to make an authentication decision using the risk score generated by the RBA performed at the RBA engine and without the ACS performing RBA for the transaction, or (ii) a merchant or acquirer computing device, bypassing any ACS, to enable the merchant or acquirer computing device to proceed with authorization of the transaction”. However, there is no technical improvement or technological solution provided to the ACS itself or any of the underlying technology, rather the claims are merely reciting that the message is transmitted to another element (e.g. first ACS or merchant/acquirer computing device) to perform the authentication or authorization of the transaction, without the ACS or bypassing the ACS. This would still be considered as part of the abstract idea of transmitting authentication request message to another entity, without the intermediary getting involved in the authentication process, and as similarly discussed above, these additional elements are mere “apply it”, which is not indicative of integration into a practical application. The claims also recite “wherein embedding the risk score comprises appending the risk score to the authentication request message as an extensible markup language (XML) extension such that the enhanced authentication request message includes the risk score generated by the RBA engine”. Appending the message as a certain format (i.e. XML extension) is adding insignificant extra-solution activity to the judicial exception (e.g. mere data manipulation), which is not indicative of integration into a practical application; see MPEP 2106.05(g). The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, when analyzed as a whole, considering the additional elements individually and/or as an ordered combination, the additional element of using a computer based system is recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer system. The claims lack sufficient technical details to provide how these limitations may provide technological steps or technical details on how it is particularly implemented on a computer to improve its system or any of its underlying hardware or components (e.g. how it is performed on the computer, how it could improve the computer itself, how it could manipulate the computer to function in a specific way other than its generic functionality, and/or how it could improve any of the underlying technology), but merely applies the generic computer system to perform its generic functionalities. Mere instructions to implement the abstract idea on the generic computer system, or merely using the generic computer system as a tool to perform the abstract idea (e.g. mere “apply it”) is not indicative of an inventive concept (aka “significantly more”). In view of the Specification, the judicial exception is not applied with or used by a particular machine. As held in Parker v. Flook, 437 U.S. 584, 590, 198 USPQ 193, 199 (1978) and Bancorp Services v. Sun Life, 687 F.3d 1266, 1276, 103 USPQ2d 1425, 1433 (Fed. Cir. 2012), “the routine use of a computer to perform calculations cannot turn an otherwise ineligible mathematical formula or law of nature into patentable subject matter.” The claims are not patent eligible. Regarding dependent claims, they are still directed to an abstract idea without significantly more. Claims 2, 9, and 16 recite “wherein the enhanced authentication request message includes data indicating that the transaction is not mandated for strong consumer authentication” The claims provide details regarding the message (i.e. message includes certain data). As similarly discussed above with its parent claims, mere instructions to implement an abstract idea on a computer is not indicative of integration into a practical application; see MPEP 2106.05(f). Claims 3, 10, and 17 recite “wherein the RBA engine is further configured to: generate another enhanced authentication request message associated with another transaction, the another enhanced authentication request message including data indicating that the another transaction is mandated for strong consumer authentication; and transmit the another enhanced authentication request message to the ACS, the indicated mandate causing the ACS to initiate strong consumer authentication for the another transaction.” The claims provide further steps with respect to generating a message and transmitting the message. As similarly discussed above with its parent claims, mere instructions to implement an abstract idea on a computer is not indicative of integration into a practical application; see MPEP 2106.05(f). Additionally, the generation and transmission of data is mere data gathering and/or manipulation, which is adding insignificant extra-solution activity to the judicial exception, which is not indicative of integration into a practical application; see MPEP 2106.05(g). Claims 6, and 13 recite “wherein the RBA engine is further configured to generate, for the transaction, at least one reason code that indicates at least one factor that influenced the generated risk score.” The claims provide further details regarding the data (e.g. RBA result data include at least one reason code), by which mere data gathering and/or manipulation is adding insignificant extra-solution activity to the judicial exception, which is not indicative of integration into a practical application; see MPEP 2106.05(g). Claims 12 and 19 recite “wherein one or more of the first historical fraud data and the second historical fraud data include basis points of fraud.” The claims provide further details regarding the data (e.g. first and second historical data including basis points of fraud), by which mere data gathering and/or manipulation is adding insignificant extra-solution activity to the judicial exception, which is not indicative of integration into a practical application; see MPEP 2106.05(g). These additional steps of each claims fail to remedy the deficiencies of their parent claim above because they are merely further limiting the rules used to conduct the previously recited abstract idea, and are therefore rejected for at least the same rationale as applied to their parent claim above. Claims 2-3, 6, 9-10, 12-13, 16-17, and 19, when analyzed as a whole, considering the additional elements individually and/or as an ordered combination, are held to be patent ineligible under 35 U.S.C. 101 because the additional recited limitations fail to establish that the claims are sufficient to integrate into a practical application and do not amount to significantly more than the judicial exception. Similarly to the independent claims, each claim recites using a generic computer system to perform the abstract idea as mentioned above. Mere “apply it” is not “significantly more”. Therefore, prong 2 and step 2B analysis are similar to above and these claims are not eligible. Therefore, Claims 1-3, 6, 8-10, 12-13, 15-17, and 19 are not drawn to eligible subject matter as they are directed to an abstract idea without significantly more. Response to Arguments Applicant's arguments, see pages 10 to 16, filed 03 December 2025, with respect to 35 U.S.C. 101 rejection have been fully considered but they are not persuasive. Applicant contends, see pages 10 to 12, under Step 2A Prong One, that the claims do not recite an abstract idea. Examiner respectfully disagrees. As discussed above under 35 U.S.C. 101 rejection, considering the claims without the additional elements (e.g. system, processor, devices, ACS, etc.), under BRI, the claims recite a process of transaction authentication through various interactions by receiving and transmitting messages, which is certain methods of organizing human activities. The additional elements recited by the claims, such as the database, server, devices, etc., being “communicatively coupled” merely indicates that the various elements are able to communicate with each other, which can be performed by generic computer component with the generic computer system. The machine learning model is a mere “apply it” as a black-box application, and the additional steps of transmitting authentication messages which bypass the ACS is merely transmitting messages, which is still part of the abstract idea, as discussed above under 35 U.S.C. 101 rejection. Therefore, the claims recite an abstract idea. Applicant contends, see pages 12 to 13, under Step 2A Prong Two, that the claims are not directed to an abstract idea. Examiner respectfully disagrees. As discussed above under 35 U.S.C. 101 rejection, the additional elements are mere generic computer components as disclosed by the Specification, performing its generic functionalities (e.g. receive, analyze, transmit data, etc.) to implement the abstract idea. The claims recite a process to bypass the ACS by selectively transmitting the authentication messages to another device, but the message is still being transmitted with a purpose of transaction authentication from one element to another element, wherein the improvement to the “authentication data messaging flow” is an improvement towards the abstract idea and not the technology itself. Therefore, mere “apply it” is not indicative of integration into a practical application. Applicant contends, see pages 14 to 16, under Step 2B, that the claims are “significantly more”. Examiner respectfully disagrees. As discussed above under 35 U.S.C. 101 rejection, the claims, when analyzed as a whole, considering the additional elements individually and/or as an ordered combination, the additional element of using a computer based system is recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer system. Unlike BASCOM, the claims of the present application is merely transmitting messages, and indicates that the message is sent to another device instead of the ACS. There is no technical details or steps entailing on how the other device performs the authentication process that is different from the ACS, or how bypassing the ACS would particularly improve its system or any of its underlying hardware or components (e.g. how it is performed on the computer, how it could improve the computer itself, how it could manipulate the computer to function in a specific way other than its generic functionality, and/or how it could improve any of the underlying technology), but merely applies the generic computer system to perform its generic functionalities. Mere instructions to implement the abstract idea on the generic computer system, or merely using the generic computer system as a tool to perform the abstract idea (e.g. mere “apply it”) is not indicative of an inventive concept (aka “significantly more”). Therefore, the 35 U.S.C. 101 rejection is maintained. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY H JUNG whose telephone number is (571)270-5018. The examiner can normally be reached Mon - Fri 9:30 - 5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christine M Tran (Behncke) can be reached at (571) 272-8103. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /HENRY H JUNG/ Examiner, Art Unit 3695 /HAO FU/ Primary Examiner, Art Unit 3695