Detailed Action
Acknowledgements
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in reply to the Response to Restriction Requirement filed on September 17, 2025.
Claims 29, 35, and 36 are canceled.
Claims 1-28 and 30-34 are pending.
Claims 32-33 are withdrawn.
Claims 1-28, 30-31, and 34 are examined.
This Office Action is given Paper No. 20251010 for references purposes only.
Election/Restrictions
Applicant's election with traverse of Group I, claims 1-28, 30-31, and 34, in the reply filed on September 17, 2025 is acknowledged. The traversal is on the ground(s) that both groups share common features such as a transaction identifier and timestamp, and therefore there is not a serious search burden. This is not found persuasive because the inventions have acquired a separate status in the art due to their different classifications and divergent subject matter. Group II is a combination that does not require the particulars of the subcombination, and the subcombination has utility by itself such as initiating a secure monitored session and capturing a customer PAN at the merchant terminal (see Restriction Requirement mailed on June 30, 2025).
The requirement is still deemed proper and is therefore made FINAL.
Claims 32-33 are withdrawn from further consideration pursuant to 37 CFR 1.142(b), as being drawn to a nonelected invention, there being no allowable generic or linking claim. Applicant timely traversed the restriction (election) requirement in the reply filed on September 17, 2025.
Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.
Information Disclosure Statement
The Information Disclosure Statement filed on September 13, 2023 has been considered. An initialed copy of the Form 1449 is enclosed herewith.
Claim Rejections - 35 USC § 112b
The following is a quotation of 35 U.S.C. 112(b):
(B) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-28, 30-31, and 34 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention.
Claims 1 and 34 recite “the second secure monitored session refers to a mutually authenticated connection.” This phrase is vague and indefinite because it is unclear whether this refers to “the mutually authenticated connection” previously recited, or to “a second mutually authenticated connection.” For purposes of applying the prior art only, Examiner will interpret as “a second mutually authenticated connection.”
Claim 12 recites “the merchant app.” There is lack of antecedent basis for this term. For purposes of applying the prior art only, Examiner will interpret as “a merchant app.”
Claim 19 recites “white box cryptography tables.” This phrase is vague and indefinite because it is unclear whether this refers to “the white box cryptography tables” previously recited, or to “second white box cryptography tables.” For purposes of applying the prior art only, Examiner will interpret as “second white box cryptography tables.”
Claim 19 recites “bytes.” This phrase is vague and indefinite because it is unclear whether this refers to “the bytes” previously recited, or to “second bytes.” For purposes of applying the prior art only, Examiner will interpret as “second bytes.”
Claim 19 recites “white box cryptography session.” This phrase is vague and indefinite because it is unclear whether this refers to “the white box cryptography session” previously recited, or to “second white box cryptography session.” For purposes of applying the prior art only, Examiner will interpret as “second white box cryptography session.”
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim 34 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim does not fall within at least one of the four categories of patent eligible subject matter.
Claim 34 is an apparatus claim drawn to a server configured to facilitate a method. There is no structure recited in the body of the claim.
Although claim 34 fails to fall under one of the four statutory categories, the claim could potentially be amended. When a claim fails to fall under at least one of the four statutory categories and it appears from Applicant’s disclosure that the claim could be amended to be directed to a statutory category, it should be determined whether the claim wholly embraces a judicially recognized exception, which includes laws of nature, physical phenomena, and abstract ideas, or is it a particular practical application of a judicial exception. See MPEP 2106 I and II.
Alice analysis
Claims 1-28, 30-31, and 34 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.
Step 2A Prong 1: The claims recite an abstract idea of conducting a secure transaction with transaction identifiers and timestamps, which is a certain method of organizing human activity (e.g. fundamental economic principles or practices including hedging, insurance, mitigating risk; commercial or legal interactions including agreements in the form of contracts, legal obligations, advertising, marketing or sales activities or behaviors, business relations; managing personal behavior or relationships or interactions between people including social activities, teaching, and following rules or instructions).
Claim 1, representative of claim 34, includes the following limitations:
Initiating a first secure monitored session between a merchant and transaction server;
Capturing a primary account number (PAN) at the merchant, wherein the PAN is associated with a customer account at a financial institution, wherein the PAN represents a debit or credit number, a tokenized version, or an encrypted version;
Sending a request for a transaction from the merchant to the transaction server, wherein the request includes the PAN and an amount;
Generating a transaction identifier (TRANS-ID) and a timestamp (TIMESTAMP1), and sending them to the merchant;
Capturing the visual representation by a camera of a customer device;
Presenting a user interface to enter the PIN;
Generating a PIN block using a random primary account number;
Transmitting the PIN block to the transaction server;
Obtaining a verification or rejection of the transaction;
Transmitting the verification or rejection to the merchant to complete the transaction.
Step 2A Prong 2: The claim limitations recite the following additional elements that are beyond the judicial exception:
a merchant terminal;
a transaction server;
a camera of a customer device;
user interface;
wherein the first session is a mutually authenticated session using encryption;
encoding the TRANS-ID and TIMESTAMP1 in a visual representation;
launching a customer app that is configured to initiate a second secure monitored session between the customer device and transaction server, wherein the second session is mutually authenticated for providing a safe window to enter a PIN.
These additional elements are not indicative of integration into a practical application because:
They add the words “apply it” (or an equivalent) with the judicial exception, or are mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea. See MPEP 2106.05(f).
They generally link the use of the judicial exception to a particular technological environment or field of use. See MPEP 2106.05(h).
Step 2B: The claim limitations do not recite additional elements, or an ordered combination of additional elements, that are sufficient to amount to significantly more than the judicial exception.
As discussed with respect to step 2A prong 2 above, the additional elements of “a merchant terminal”, “a transaction server”, “a camera of a customer device”, and “user interface” are mere instructions to apply an exception, and do not integrate a judicial exception into a practical application at step 2A or provide an inventive concept at step 2B.
According to the 2019 PEG, a conclusion that an additional element is mere instructions to apply an exception under step 2A should be re-evaluated at step 2B. Thus, the additional elements of “a merchant terminal”, “a transaction server”, “a camera of a customer device”, and “user interface” are re-evaluated to determine whether they constitute significantly more. Examiner finds that the additional elements of “a merchant terminal”, “a transaction server”, “a camera of a customer device”, and “user interface” are simply the use of a computer in its ordinary capacity and do not provide significantly more. See Affinity Labs v. DirecTV, 838 F.3d 1253, 1262 and MPEP 2106.05(f). For example, the additional elements only provide a result-oriented solution and lack details as to how the computer performs the modifications, which is equivalent to “apply it”. See Alice Corp. v. CLS Bank, 134 S. Ct. 2347, 2357 and MPEP 2106.05(f).
As discussed with respect to step 2A prong 2 above, the additional elements of “wherein the first session is a mutually authenticated session using encryption”, “encoding the TRANS-ID and TIMESTAMP1 in a visual representation”, “launching a customer app that is configured to initiate a second secure monitored session between the customer device and transaction server, wherein the second session is mutually authenticated for providing a safe window to enter a PIN” generally link the use of the judicial exception to a particular technological environment or field of use, and do not integrate a judicial exception into a practical application at step 2A or provide an inventive concept at step 2B.
According to the 2019 PEG, a conclusion that an additional element is mere instructions to apply an exception under step 2A should be re-evaluated at step 2B. Thus, the additional elements of “wherein the first session is a mutually authenticated session using encryption”, “encoding the TRANS-ID and TIMESTAMP1 in a visual representation”, “launching a customer app that is configured to initiate a second secure monitored session between the customer device and transaction server, wherein the second session is mutually authenticated for providing a safe window to enter a PIN” are re-evaluated to determine whether they constitute significantly more. Examiner finds that the additional elements of “wherein the first session is a mutually authenticated session using encryption”, “encoding the TRANS-ID and TIMESTAMP1 in a visual representation”, “launching a customer app that is configured to initiate a second secure monitored session between the customer device and transaction server, wherein the second session is mutually authenticated for providing a safe window to enter a PIN” are merely an attempt to limit the use of the abstract idea to a particular technological environment. See Ultramercial, Inc. v. Hulu, LLC, 772 F.3d 709, 716 and MPEP 2106.05(h).
Therefore, when considering all the additional claim elements both individually and as an ordered combination, Examiner finds that the claim does not amount to significantly more than the exception.
The dependent claims fail to cure this deficiency and are rejected accordingly.
Claim 2 recites communicating with a merchant app, which generally links the use of the judicial exception to a particular technological environment or field of use (e.g. merely an attempt to limit the use of the abstract idea to a particular technological environment). See Ultramercial, Inc. v. Hulu, LLC, 772 F.3d 709, 716 and MPEP 2106.05(h).
Claims 3 and 19 recite creating a second unique random number, generating a session key, calculating a key check value, sending data to the transaction server, sending white box cryptography tables that are encrypted, decrypting the tables, replacing a first random number with the second random number, which is insignificant extra-solution activity (e.g. selecting a particular data source or type of data to be manipulated). See Electric Power Group, and MPEP 2106.05(g).
Claim 4 recites applying a one way function, which is insignificant extra-solution activity (e.g. selecting a particular data source or type of data to be manipulated). See Electric Power Group, and MPEP 2106.05(g).
Claim 5 recites replacing the random number with an alternate number, which is insignificant extra-solution activity (e.g. selecting a particular data source or type of data to be manipulated). See Electric Power Group, and MPEP 2106.05(g).
Claims 6-7 recite detecting an error condition, which is insignificant extra-solution activity (e.g. selecting a particular data source or type of data to be manipulated). See Electric Power Group, and MPEP 2106.05(g).
Claims 8-9 recite the tables include a single use key, which is merely describing data and further defining the abstract idea.
Claims 10-11 and 23-24 recite replacing the tables at different time intervals, which is insignificant extra-solution activity (e.g. selecting a particular data source or type of data to be manipulated). See Electric Power Group, and MPEP 2106.05(g).
Claims 12-14 and 26-28 recite executing a check routine to check for tampering signs, which is insignificant extra-solution activity (e.g. mere data gathering). See CyberSource v. Retail Decisions, Inc., 654 F.3d 1366, 1375, and MPEP 2106.05(g).
Claims 15-16 recite the different types of visual representations, which is merely describing data and further defining the abstract idea.
Claims 17-18 recite the different types of devices, which is merely describing data and further defining the abstract idea.
Claims 20-21 recite how to calculate the session key, which is insignificant extra-solution activity (e.g. mere data gathering). See CyberSource v. Retail Decisions, Inc., 654 F.3d 1366, 1375, and MPEP 2106.05(g).
Claim 22 recites replacing the transaction identifier and timestamp, which is insignificant extra-solution activity (e.g. selecting a particular data source or type of data to be manipulated). See Electric Power Group, and MPEP 2106.05(g).
Claim 25 recites deleting the tables, which is insignificant extra-solution activity (e.g. selecting a particular data source or type of data to be manipulated). See Electric Power Group, and MPEP 2106.05(g).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 12-18, 30-31, and 34 are rejected under 35 U.S.C. 103(a) as being unpatentable over Bodalia et al. (US 2025/0238781), in view of Itwaru (US 2018/0047010), and further in view of Grandcolas et al. (US 2012/0072714).
Claims 1, 34
Bodalia discloses:
initiating a first secure monitored session (see figure 2A) between a merchant terminal (POS terminal, see [0072]) and a transaction server (payment processing server, see [0072]); wherein the first secure monitored session refers to a mutually authenticated connection in which sensitive data is encrypted (e.g. encrypted payment data, see [0216]);
during the first secure monitored session, capturing a customer primary account number (PAN) (e.g. debit card, credit card, see [0072]) at the merchant terminal (POS terminal, see [0072]), the customer primary account number being associated with a customer account (stored balance, see [0058]) at a financial institution; wherein the PAN represents a debit or credit card number (e.g. debit card, credit card, see [0072]), a tokenized version thereof, or an encrypted version thereof that is associated with the customer account at the financial institution;
sending a request (request, see [0074]) for a transaction from the merchant terminal (merchant, see [0074]) to the transaction server, the request including the customer PAN (e.g. debit card, credit card, see [0072]) at the merchant terminal (POS terminal, see [0072]) and a transaction amount (amount of transaction, see [0074]);
generating, at the transaction server, a transaction identifier (TRANS-ID) (transaction identifier, see [0130]) that is unique to the transaction and a timestamp (TIMESTAMP1) (timestamp, see [0130]) corresponding to a time when the transaction was requested or initiated, and sending TRANS-ID and TIMESTAMP1 to the merchant terminal;
encoding the TRANS-ID and TIMESTAMP1 in a visual representation (transaction code, e.g. QR code, see [0073]) for presentation on a display (display of merchant device, see [0073]);
allowing capture of the visual representation (capture of image of QR code, see [0073]) by a camera (camera, see [0073]) on a customer device (customer device, see [0073]);
in response to the capture of the visual representation on the customer device, launching a customer app (mobile payment application, see [0084]) on the customer device, wherein the customer app is configured to:
initiate a second secure monitored session (see figure 2A) between the customer device (customer device, see [0085]) and the transaction server (payment processing server, i.e. P2P payment platform and payment processing platform can be a same service provider, see [0047, 0086]);
obtaining, at the transaction server, a verification or rejection (whether approve or deny, see [0091]) of the transaction from the financial institution associated with the customer account; and
transmitting the verification or rejection (authorization response, see [0091]) of the transaction to the merchant terminal to complete the transaction.
Bodalia does not disclose:
Wherein… entered;
Control… PAN.
Itwaru teaches
wherein the second secure monitored session refers to a mutually authenticated connection for providing a safe window in which a PIN number (PIN, see [0083]) associated with the customer PAN is entered;
control the customer device to present the customer with a user interface (transaction interface, see [0083]) to enter the PIN number (enter PIN, see [0083]) associated with the customer PAN.
Bodalia discloses initiating a first session, capturing a PAN, sending a request for a transaction, generating a transaction id and timestamp, encoding a visual representation, capturing the visual representation, launching a customer app, initiating a second session, obtaining a verification or rejection, and transmitting the verification or rejection. Bodalia does not disclose entering a PIN number, but Itwaru does. It would have been obvious to one of ordinary skill in the art at the effective filing date of the invention to combine the transaction identification by comparison of merchant transaction data and context data of Bodalia with the entering a PIN number of Itwaru because 1) a need exists for contactless payments via integration of P2P payment (see Bodalia [0028]); and 2) a need exists for controlling how personal financial information is provided to other entities during a transaction (see Itwaru [0005]). Entering a PIN ensures that customer verification.
Bodalia in view of Itwaru discloses the limitations above. Bodalia in view of Itwaru does not disclose:
Generate… verification.
Grandcolas teaches:
generate a PIN block (PIN block, see [0037]) for the PIN number using a random primary account number (high quality random number, see [0039]) downloaded from the server and transmit the PIN block to the transaction server for verification.
Bodalia in view of Itwaru discloses initiating a first session, capturing a PAN, sending a request for a transaction, generating a transaction id and timestamp, encoding a visual representation, capturing the visual representation, launching a customer app, entering a PIN number, initiating a second session, obtaining a verification or rejection, and transmitting the verification or rejection. Bodalia in view of Itwaru does not disclose generating a PIN block, but Grandcolas does. It would have been obvious to one of ordinary skill in the art at the effective filing date of the invention to combine the transaction identification by comparison of merchant transaction data and context data of Bodalia, in view of Itwaru, with the generating a PIN block of Grandcolas because a need exists for encrypting user’s credentials in such a way that they never appear in the clear (see Grandcolas [0004]). Generating a PIN block ensures the PIN does not appear in the clear.
Claim 2
Furthermore, Grandcolas teaches:
the merchant terminal is authorized to communicate with the transaction server via a merchant app that is stored on the merchant terminal using a first unique random number (MA-RAND1) (random number, see [0015]) as a temporary merchant identifier in an onboarding process between the merchant terminal and the transaction server.
Claim 12
Furthermore, Itwaru teaches:
during the first secure monitored session, the merchant app executes a check routine (merchant authentication credentials, see [0134]) to check for signs of tampering by examining the integrity of the operating system, memory and/or stored code and files of the merchant terminal.
Claim 13
Furthermore, Itwaru teaches:
the merchant app executes within a Trusted Execution Environment of the merchant terminal (POS, see [0135]).
Claim 14
Furthermore, Itwaru teaches:
during the first secure monitored session, the merchant app reports data (consumer code data, see [0028]) from the check routine at least once per second to the transaction server and the transaction server compares the reported data to expected results (compare to lookup table, see [0028]) of the merchant app and the device type executed it is executing on.
Claim 15
Furthermore, Bodalia discloses:
the visual representation includes a QR code (QR code, see [0073]).
Claim 16
Furthermore, Bodalia discloses:
the visual representation includes a barcode (barcode, see [0073]).
Claim 17
Furthermore, Bodalia discloses:
the merchant terminal (POS terminal, see [0273]) is a user mobile device (user device, see [0273]).
Claim 18
Furthermore, Bodalia discloses:
the user mobile device is a smartphone (smart phone, see [0252]) or tablet computer.
Claim 30
Furthermore, Bodalia discloses:
a computer system (system, see [0250]) configured to perform a method according to claim 1.
Claim 31
Furthermore, Bodalia discloses:
a non-transitory carrier medium (non-transitory computer storage media, see [0255]) having instructions stored thereon such that, when executed on a computer, the computer is configured to perform a method according to claim 1.
Claim Interpretation
The prior art made of record and not relied upon is considered pertinent to Applicant's disclosure (see attached form PTO-892).
Hanson (US 2009/0204530) discloses a bar coded monetary transaction system and method.
For compact prosecution purposes and should Applicant overcome the prior art rejections noted above, Applicant is reminded that optional or conditional elements do not narrow the claims because they can always be omitted. See e.g. MPEP §2106 II C.: "Language that suggests or makes optional but does not require steps to be performed or does not limit a claim to a particular structure does not limit the scope of a claim or claim limitation. [Emphasis in original.]"; and In re Johnston, 435 F.3d 1381, 77 USPQ2d 1788, 1790 (Fed. Cir. 2006) ("As a matter of linguistic precision, optional elements do not narrow the claim because they can always be omitted.").
Claims 5-6 recite “if KCV calculated at the transaction server mismatches.”
Claim 22 recites “if KCV2 calculated at the transaction server mismatches.”
Examiner hereby adopts the following definitions under the broadest reasonable interpretation standard. In accordance with In re Morris, 127 F.3d 1048, 1056, 44 USPQ2d 1023, 1029 (Fed. Cir. 1997), Examiner points to these other sources to support her interpretation of the claims.1 Additionally, these definitions are only a guide to claim terminology since claim terms must be interpreted in context of the surrounding claim language. Finally, the following list is not intended to be exhaustive in any way:
configuration “(1) (A) (software) The arrangement of a computer system or component as defined by the number, nature, and interconnections of its constituent parts.” “(C) The physical and logical elements of an information processing system, the manner in which they are organized and connected, or both. Note: May refer to hardware configuration or software configuration.” IEEE 100 The Authoritative Dictionary of IEEE Standards Terms, 7th Edition, IEEE, Inc., New York, NY, Dec. 2000.
Conclusion
Any inquiry of a general nature or relating to the status of this application or concerning this communication or earlier communications from Examiner should be directed to Chrystina Zelaskiewicz whose telephone number is 571-270-3940. Examiner can normally be reached on Monday-Friday, 9:30am-5:00pm. If attempts to reach the examiner by telephone are unsuccessful, the Examiner’s supervisor, Neha Patel can be reached at 571-270-1492.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://portal.uspto.gov/external/portal/pair <http://pair-direct.uspto.gov>. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free).
/CHRYSTINA E ZELASKIEWICZ/Primary Examiner, Art Unit 3699
1 While most definition(s) are cited because these terms are found in the claims, Examiner may have provided additional definition(s) to help interpret words, phrases, or concepts found in the definitions themselves or in the prior art.