Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments/Amendments
Regarding rejection of the claims under 35 USC 101, Applicant submits that the claims are not directed to an abstract idea such as mental processes. The Examiner respectfully disagrees. While the Examiner agrees the claims are not directed to mental processes, the claims are directed to both fundamental economic principles and practices, such as validating transactions using authentication information, and mathematical concepts, such as one-way hashing. Therefore, the claims are directed to an abstract idea.
Applicant further submits that the claims as a whole provide for improved computer security and thus integrate any alleged abstract idea into a practical application. The Examiner respectfully disagrees. Applicant’s alleged improvement does not improve the functioning or performance of a computer/processor nor does it improve a particular technological field. Rather, the improvement is directed to improving the abstract idea of validating financial transactions. Furthermore, Applicant has failed to point to any specific additional element(s) that integrate the alleged improvement into the claims. Therefore, the rejection is maintained.
Regarding Applicant’s arguments with respect to rejection of the claims under 35 USC 103 over Schibuk in view of Pinkas, the arguments have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 16-35 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
In the instant case, claims 16-25 are directed to a method and claims 26-35 are directed to a device. Therefore, these claims fall within the four statutory categories of invention.
Claim 16 recites: A method of validating a transaction by a validation platform, the method comprising:
setting a status associated with a shared secret as being valid, the status limiting usage of the shared secret to at most one electronic transaction;
provisioning a user device with the shared secret and a shared secret identifier associated with the shared secret;
receiving authentication data for a transaction, the authentication data identifying a user of the user device and comprising a transaction hash value and a transaction shared secret identifier;
verifying that the transaction shared secret identifier corresponds to a valid shared secret based on the status associated with the shared secret corresponding to the transaction shared secret identifier;
calculating a verification hash value by calculating a one-way hash of data comprising the shared secret corresponding to the transaction shared secret identifier;
comparing the transaction hash value and the verification hash value to determine if the electronic transaction is valid; and
responsive to the electronic transaction being determined as being valid, transmitting a notification to a server to execute the electronic transaction.(Additional element(s) emphasized in bold)
The above claim describes a process for setting a status associated with identification information being valid, the status limiting usage of the identification information to at most one transaction; provisioning a user/customer with the identification information and an associated identifier; receiving authentication data for a transaction identifying the user and including the identification information and the associated identifier; verifying that the associated identifier corresponds to valid identification information based on the status associated with the identification information corresponding to the associated identifier; comparing the received identification information with stored identification information retrieved using the associated identifier to determine if the transaction is valid; and responsive to the transaction being determined as valid, transmitting a notification to a financial institution to execute the transaction. Therefore, claim 16 is directed to the abstract idea of validating transactions using authentication information which is grouped within the “certain methods of organizing human activity” grouping of abstract ideas under the “fundamental economic principles or practices” sub-grouping in prong one of step 2A. Furthermore, claim 16 is also directed to the abstract idea of mathematical calculations and equations/formulas (e.g. hashing) which is grouped within the “mathematical concepts” grouping of abstract ideas. Accordingly, the claims recite an abstract idea (See MPEP 2106.04).
This judicial exception is not integrated into a practical application because, when analyzed under prong two of step 2A (See MPEP 2106.04), the additional elements of the claim such as user device, shared secrets, electronic transaction, one-way hashing/hash values, and a server merely uses a computer as a tool to perform an abstract idea. The use of shared secrets, electronic transactions, and one-way hashing/hash values does no more than generally link the abstract idea to a particular field of use (e.g. transaction cryptography/cryptograms) due to reciting said elements at no more than a high level of generality (e.g. shared secrets are merely substitutes for any generic secret information shared between two or more parties, electronic transactions are merely substitutes for physical transactions, and one-way hashing can be performed by any generic, off-the-shelf computing device executing standard mathematical algorithms). Finally, the use of a processor/computer (user device, server) as a tool to implement the abstract idea does not integrate the abstract idea into a practical application because it requires no more than a computer performing functions that correspond to acts required to carry out the abstract idea. Accordingly, the additional elements do not impose any meaningful limits on practicing the abstract idea, and the claims are directed to an abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when analyzed under step 2B (See MPEP 2106.05), the additional elements of user device, shared secrets, electronic transaction, one-way hashing/hash values, and a server do not amount to significantly more than the abstract idea. As discussed above, taking the claim elements separately, the use of shared secrets, electronic transactions, and one-way hashing/hash values does no more than generally link the abstract idea to a particular field of use (e.g. transaction cryptography/cryptograms) due to reciting said elements at no more than a high level of generality (e.g. shared secrets are merely substitutes for any generic secret information shared between two or more parties, electronic transactions are merely substitutes for physical transactions, and one-way hashing can be performed by any generic, off-the-shelf computing device executing standard mathematical algorithms). Finally, the use of a user device and server does no more than use a computer/processor as a tool to implement and/or automate the abstract idea. Viewed as a whole, the combination of elements recited in the claims merely recite a process for validating a transaction with authentication information using a computer. Therefore, the use of these additional elements does no more than employ the computer as a tool to automate and/or implement the abstract idea. The use of a computer or processor to merely automate and/or implement the abstract idea cannot provide significantly more than the abstract idea itself (MPEP 2106.05(I)(A)(f) & (h)). Therefore, the claim is not patent eligible.
Dependent claims 17-24 further describe characteristics of data (e.g. a plurality of shared secrets and identifiers, types of data, types of communication protocols, etc.) and steps to perform the abstract idea. Furthermore, the additional elements of communication links, contactless transaction, and mobile device do no more than continue to generally link the abstract idea to a particular field of use. Accordingly, the dependent claims do not include additional elements that integrate the abstract idea into a practical application or that provide significantly more than the abstract idea. Therefore, the dependent claims are also not patent eligible.
The same analysis pertaining to the abstract idea of transaction validation holds true for claims 26-35 as well, with the additional elements of memory and processor merely using a processor/computer as a tool to implement the abstract idea. Therefore, claims 26-35 are also not patent eligible.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 16-23 and 26-33 are rejected under 35 U.S.C. 103 as being unpatentable over Schibuk (US 2012/0191615 "Schibuk") in view of Flurscheim et al. (US 2016/0140545 “Flurscheim”) and Pinkas et al. (US 2014/0058952 "Pinkas").
Regarding claims 16 and 26, Schibuk discloses: A method and device for validating a transaction by a validation platform, comprising:
provisioning a user device with the shared secret ("encryption seed") and a shared secret identifier ("sequence number") associated with the shared secret (Fig. 2, 0042, 0044, 0074-0075);
receiving authentication data for a transaction, the authentication data identifying a user of the user device ("purchaser identifier") and comprising a transaction hash value ("transaction cipher") and a transaction shared secret identifier ("sequence number") (Fig. 7a-7b, 0040, 0074, 0076-0077, 0079);
calculating a verification hash value by calculating a one-way hash of data comprising the shared secret corresponding to the transaction shared secret identifier (Fig, 7b, 0040, 0079-0080);
and comparing the transaction hash value and the verification hash value to determine if the electronic transaction is valid (Fig, 7b, 0040, 0079-0080).
Schibuk does not disclose: setting a status associated with a shared secret as being valid, the status limiting usage of the shared secret to at most one electronic transaction;
verifying that the transaction shared secret...corresponds to a valid shared secret based on the status associated with the shared secret corresponding to the transaction shared secret identifier;
and responsive to the electronic transaction being determined as being valid, transmitting a notification to a server to execute the electronic transaction.
However, in the same field of endeavor, Flurscheim discloses: setting a status (“threshold”) associated with a shared secret (“LUK”) as being valid, the status limiting usage of the shared secret to at most one electronic transaction (Fig. 2, 0047, 0053, 0056, 0097);
provisioning a user device with the shared secret and a shared secret identifier associated with the shared secret (“key index”) (Fig. 2, Fig. 13, 0063, 0097-0098, 0212-0213);
verifying that the transaction shared secret...corresponds to a valid shared secret based on the status associated with the shared secret corresponding to the transaction shared secret identifier (Fig 13, 0139-0140, 0145, 0214-0215);
and responsive to the electronic transaction being determined as being valid, transmitting a notification to a server to execute the electronic transaction (Fig. 1, 0092-0094, 0145).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify claims 16 and 26 disclosed by Schibuk by including setting and verifying a status of the shared secret for validity as disclosed by Flurscheim. One of ordinary skill in the art would have been motivated to make this modification to allow limits on use of limited-use keys to prevent transactions exceeding the threshold(s) (see Flurscheim 0053).
Schibuk in view of Flurscheim does not disclose: verifying that the transaction shared secret identifier corresponds to a valid shared secret...
However, in the same field of endeavor (see e.g. Schibuk 0055), Pinkas discloses: verifying that the transaction shared secret identifier corresponds to a valid shared secret (0029-0030).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify claims 16 and 26 disclosed by Schibuk in view of Flurscheim by including verifying a valid shared secret as disclosed by Pinkas. One of ordinary skill in the art would have been motivated to make this modification to improve security and trustworthiness of the transaction (see Pinkas 0025).
Regarding claims 17 and 27, Schibuk in view of Flurscheim and Pinkas discloses all limitations of claims 16 and 26. Schibuk further discloses: wherein the validation platform provisions the user device with a plurality of shared secrets and a plurality of shared secret identifiers, each shared secret identifier corresponding to a respective shared secret (0044, 0074-0075).
Regarding claims 18 and 28, Schibuk in view of Flurscheim and Pinkas discloses all limitations of claims 16 and 26. Schibuk further discloses: wherein following receipt of authentication data including a shared secret identifier, the validation platform invalidates the shared secret corresponding to the shared secret identifier for future transactions (0055, 0075).
Regarding claims 19 and 29, Schibuk in view of Flurscheim and Pinkas discloses all limitations of claims 16 and 26. Schibuk further discloses: wherein data used to calculate the verification hash value further comprises information relating to identification of the user (0076, 0079).
Regarding claims 20 and 30, Schibuk in view of Flurscheim and Pinkas discloses all limitations of claims 18 and 28. Schibuk further discloses: wherein the validation platform invalidates the shared secret by setting a status associated with the shared secret as being invalid (0055, 0075).
Regarding claims 21 and 31, Schibuk in view of Flurscheim and Pinkas discloses all limitations of claims 16 and 26. Schibuk further discloses: transmitting a message to an issuer computer indicating a result of comparing the transaction hash value and the verification hash value (0080).
Regarding claims 22 and 32, Schibuk in view of Flurscheim and Pinkas discloses all limitations of claims 17 and 27. Schibuk further discloses: wherein the validation platform transmits the plurality of shared secrets and the plurality of shared secret identifiers to the user device via a first communication link, the first communication link communicating data using an Internet Protocol (0070).
Regarding claims 23 and 33, Schibuk in view of Flurscheim and Pinkas discloses all limitations of claims 16 and 26. Schibuk further discloses: wherein the transaction comprises a contactless payment transaction, and the user device is a mobile device comprising a contactless payment device (0069-0070).
Claims 24-25 and 34-35 are rejected under 35 U.S.C. 103 as being unpatentable over Schibuk in view of Flurscheim and Pinkas as applied to claims 16 and 26 above, and further in view of Le Saint et al. (US 2016/0065370 "Le Saint").
Regarding claims 24 and 34, Schibuk in view of Flurscheim and Pinkas discloses all limitations of claims 17 and 27.
Schibuk in view of Flurscheim and Pinkas does not disclose: wherein the validation platform transmits the plurality of shared secrets and the plurality of shared secret identifiers via a first communication link, and wherein the user device transmits the authentication data via a second communication link different from the first communication link.
However, in the same field of endeavor, Le Saint discloses: wherein the validation platform transmits the plurality of shared secrets and the plurality of shared secret identifiers via a first communication link, and wherein the user device transmits the authentication data via a second communication link different from the first communication link (0177, 0181).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify claims 24 and 34 disclosed by Schibuk in view of Flurscheim and Pinkas by including two different communication links as disclosed by Le Saint. One of ordinary skill in the art would have been motivated to make this modification to improve security and prevent interception of sensitive data (see Le Saint 0002).
Regarding claims 25 and 35, Schibuk in view of Flurscheim and Pinkas and further in view of Le Saint discloses all limitations of claims 24 and 34. Schibuk further discloses: wherein the second communication link is a wireless communication link (0070).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Prakash et al. (US 20160092872) generally discloses systems and methods for provisioning multiple limited use keys (LUKs) used for generating transaction cryptograms and associated with specific use policies limiting their transaction usage to particular threshold limits.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAYLOR RAK whose telephone number is (571)270-1575. The examiner can normally be reached Monday-Friday 11:00-7:00 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John W Hayes can be reached at (571)-272-6708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/T.R./Examiner, Art Unit 3697
/JOHN W HAYES/Supervisory Patent Examiner, Art Unit 3697