Systems, Methods and Computer Program Products for Contactless Payment Card Security at Unattended Type Terminals

§102 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02/10/2026 has been entered. Response to Amendment Applicant’s “Amendment” filed on 02/10/2026 has been considered. Claims 1, 3-9, 11-17, and 20 are amended. Claims 2, 10, 18, and 19 are canceled. Claims 1, 3-9, 11-17, and 20-21 remain pending in this application and an action on the merits follow. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention. Claims 1, 3, 4, 9, 11, 12, 17, and 20-21 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by U.S. Patent No. 10,366,378 to Han et al. With regard to claims 1, 9, and 17, Han discloses a system for implementing a contactless payment card based payment transaction, the system comprising at least one processor implemented cloud POS server and configured to: receive from a communication device (Fig. 1, col. 11, lines 62-65, Payment card may also include a payment object, such as an electronic device configured to initiate contactless payment transactions, e.g., a key fob, a mobile device (such as a mobile device having an NFC tag).): a first unique identifier associated with a contactless payment card (col. 16, lines 42-47 and col. 14, lines 26-44, The payment object reader 110 also extracts relevant payment transaction data, i.e., information required for processing payment transactions, including, but not limited to, debit account information, credit cardholders name, credit card number, expiration date and card verification value (CVV), digital permanent account number (PAN), etc. ); and a second unique identifier associated with the communication device (col. 4, lines 65-col. 5, lines 10, Such device characteristics can be used for device identification or fingerprinting. The device characteristics can also be unique identifiers associated with the device, such as device name, device identification number, and the like. ), wherein the communication device has a software application implemented therein, and the software application is configured to implement payment transactions through a remote e-commerce server (col. 11, lines 56-57, A financial instrument can be a software instrument or virtual instrument, such as a virtual wallet.); and wherein transmission of the first unique identifier and the second unique identifier from the communication device is implemented in response to: the communication device detecting a contactless card tap event involving the contactless payment card and associated with a payment transaction being implemented between the software application and the remote e-commerce server (Fig. 3A-3B, col. 33, lines 28-col. 34, lines 20 and col 35, lines 23-26, The process 300 starts with the operation at block 302. A buyer 202 with a buyer device 202-1 approaches a checkout area at a merchant location, which is equipped with a payment object reader 206 (step 302) and presents a method of payment, e.g., a payment object like a chip-based payment object operating on EMV technology, into the payment object reader 206, for example through a dip, swipe, tap or such action. At step 308, after obtaining card information, the payment object reader 206 proceeds to detecting entry of the buyer device 202-1. The responses form the digital device fingerprints, which are to be used for device identification and authentication of a payment transaction at a later time, are then sent to the payment object reader, as shown in step 318. ); and the communication device retrieving the first unique identifier from the contactless payment card (col. 7, lines 2-14, Then subsequently detecting presence of a buyer device or a cluster of devices at the time of transaction made by a card connected to the buyer device and using presence of such devices towards authentication of a payment transaction to securely and reliably process the buyer's transaction by retrieving the buyer's financial account associated with the swiped card. ); and determine, based in part on accessing a database of records that stores combinations of payment card identifiers and communication device identifiers for payment transactions that have been previously successfully authorized, that a combination of the first unique identifier and the second unique identifier have been previously recorded in the database of records for a payment transaction that was authorized (col. 32, lines 21-31 and col. 49, lines 40-58, For example, the payment processing system 242 compares previously stored merchant profiles, buyer profiles or fingerprints of the devices registered by the buyer 202 and the digital signature 225 or profile obtained at the payment object reader 206 through the comparator 244. The generated fingerprints are compared with the fingerprints in the database and the fingerprint in the database that is closest to the generated fingerprint is selected as the match. The buyer profile includes an association of a previously obtained device characteristic with information identifying a previously received payment object. The POS device 704 may apply the payment instrument identifier or the element to the encrypted data 706 (bloom filter arrays) to determine if there is a match. If there is a match between the payment instrument identifier or the element and the encrypted data 706, the merchant may know the customer is a returning customer (i.e., the payment instrument has been used in a previous successful transaction).); and based on determining that the combination of the first unique identifier and the second unique identifier have been previously recorded for a payment transaction that was authorized, transmit a payment instruction to a payment network for transaction implementation without requiring further transaction authorization (Fig. 4B, col. 39, lines 51-56, and col. 49, lines 63-64, If the match operation (step 426) as a result of the comparison at step 424 yields a “Yes,” the flow transitions to step 428, or optionally to step 432 (as shown). First, the PPS 114 identifies the buyer as a known user (e.g., after performing the comparison itself, or after receiving a confirmation from a buyer mobile device proximate to the POS terminal after the buyer mobile device performs the comparison, etc.). Then, the POS terminal authorizes the offline payment transaction as approved since the device was previously registered and is known to be low risk. Knowing the payment instrument 710 or customer's device has been used in previous successful transactions, the POS device may automatically process the transaction if there is bit array match.). With regard to claims 3 and 11, Pearce discloses before transmitting the payment instruction to the payment network, verify that a transaction value with associated the payment transaction being implemented between the software application the remote e-commerce server is less that an defined card verification method (CVM) threshold value (fig. 4B, col. 39, lines 51-col. 40, lines 40, At step 432, the POS terminal also checks whether the registered device corresponding to the buyer digital signature is associated with any rules or conditions that restrict the use of the registered buyer device as a tool for payment authentication. setting a maximum amount per transaction, or per merchant, or per merchant per transaction (which could apply to a specific merchant or to all merchants)). With regard to claims 4, 12, and 20, Han discloses the system is further configured to: receive, from a second communication device (Fig. 1, col. 11, lines 62-65): a third unique identifier associated with a second contactless payment card (col. 16, lines 42-47 and col. 14, lines 26-44); and a fourth unique identifier associated with the second communication device (col. 4, lines 65-col. 5, lines 10), wherein the second communication device has a second software application implemented therein, and the second software application is configured to implement payment transactions through the remote e-commerce server (col. 11, lines 56-57); and wherein transmission of the third unique identifier and the fourth unique identifier from the second communication device is implemented in response to: the second communication device detecting a second contactless card tap event involving the second contactless payment card and associated with a second payment transaction being implemented between the second software application and the remote e-commerce server (Fig. 3A-3B, col. 33, lines 28-col. 34, lines 20 and col 35, lines 23-26); and the second communication device retrieving the third unique identifier from the contactless payment card (col. 7, lines 2-14); and determine, based in part on accessing the database of records that stores combinations of payment card identifiers and communication device identifiers for payment transactions that have been previously successfully authorized, that a combination of the third unique identifier and the fourth unique identifier have not been previously recorded in the database of records for a payment transaction that was authorized (col. 32, lines50-57, If the digital signature 225 does not match, the payment object reader 206 generates a notification for the buyer 202 to try another means of payment or authorize through conventional means by providing an authorization code); trigger a transaction authorization communication flow or a transaction authentication communication flow (col. 32, lines50-57, generates a notification for the buyer 202 to try another means of payment or authorize through conventional means by providing an authorization code); and transmit a payment instruction from the cloud POS server to a payment network for transaction implementation, in response to successful transaction authorization or transaction authentication (col. 32, lines50-57, Once authenticated, the payment transaction is fulfilled through the issuer, acquirer and card processing network, as described in FIG. 1, for example when the payment object reader 206 established online connection with the PPS 242.). With regard to claim 21, Han disclose the second unique identifier comprises a unique hardware identifier or a unique software identifier (col. 4, lines 65-col. 5, lines 10). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 5, 8, 13, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 10,366,378 to Han et al., in view of U.S. Patent No. 11,341,470 to Pearce. With regard to claims 5 and 13, Han substantially discloses the claimed invention, however, Han does not disclose the authorization communication flow process. However, Pearce teaches trigger the transaction authentication communication flow by: receiving, from a lookup server, identification of an issuer associated with the second contactless payment card (Pearce, col. 10, lines 14-24, the payment information may include any of a type of payment card (e.g., Visa®, MasterCard®, etc.)); transmitting, from the cloud POS server to an issuer server associated with the issuer, a transaction authorization request corresponding to the second payment transaction, and any unique identifier associated with the second contactless payment card (Pearce, col. 10, lines 57-65, The merchant server 122 transmits a payment approval request to the card issuer computing system 108 at 414. The payment approval request includes the payment information, the authentication code, and a payment amount associated with the transaction (i.e., the cost of the goods and/or services being purchase by the user and from the merchant). In some arrangements, the payment approval request also includes user information (e.g., the user's name, the user's address, etc.).); receiving, from the issuer server, a transaction authorization confirmation message confirming that the second payment transaction has been authorized, wherein the transaction authorization confirmation message is transmitted by the issuer server based on a result of a call-response based authorization or authentication involving a cardholder associated with the contactless payment card (Pearce, col. 11, lines 16-18, An approval decision is transmitted at 418. The approval decision is transmitted from the card issuer computing system 108 to the merchant server 122.); generating and storing, in the database of records, a data record associating the combination of the third and the fourth unique identifiers (Pearce, col. 5, lines 1-17, The information contained in the customer database 120 including for example, a customer's transaction history); and initiating an implementation of the second payment transaction, wherein the implementation involves a transfer of a transaction amount from a payment account associated with the second contactless payment card to a beneficiary payment account (Pearce, col. 3, lines 8-14, the online marketplace can receive payment information (e.g., payment card or financial account information) and cause funds to transfer from one account (e.g., an account associated with a buyer) to another account (e.g., an account associated with a seller).). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Han to include, the authorization communication flow process, as taught in Pearce, in order to authenticate online purchases by detecting a presence of an authorized smart card (Pearce, abstract). With regard to claims 8 and 16, Han substantially discloses the claimed invention, however, Han does not disclose transmitting, from the cloud POS server to an issuer server associated with the identified issuer, the transaction authorization request corresponding to the payment transaction, and any unique identifier associated with the second contactless payment card, is preceded by assigning a zero-value to a session-specific CVM threshold value associated with a near-field-communication session that has been initiated by the second contactless card tap event detected at the second communication device. However, Pearce teaches transmitting, from the cloud POS server to an issuer server associated with the identified issuer, the transaction authorization request corresponding to the payment transaction, and any unique identifier associated with the second contactless payment card, is preceded by assigning a zero-value to a session-specific CVM threshold value associated with a near-field-communication session that has been initiated by the second contactless card tap event detected at the second communication device (col. 6, lines 47-col. 7, lines 9, the authentication request is a transaction authorization request entailing a charge of little to no funds (e.g., a transaction of $0.01, or $0.00). In some such arrangements, the authentication logic 118 can recognize that a requested transaction of $0.00 indicates an attempt to authorize an online purchase on a personal computing device and apply a specific set of authentication rules.). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Han to include, transmitting, from the cloud POS server to an issuer server associated with the identified issuer, the transaction authorization request corresponding to the payment transaction, and any unique identifier associated with the second contactless payment card, is preceded by assigning a zero-value to a session-specific CVM threshold value associated with a near-field-communication session that has been initiated by the second contactless card tap event detected at the second communication device, as taught in Pearce, in order to authenticate online purchases by detecting a presence of an authorized smart card (Pearce, abstract). Claims 6-7 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 10,366,378 to Han et al, and further in view of U.S. Patent Application Publication No. 2022/0294894 to Hefetz. With regard to claims 6 and 14, Han discloses generating and storing, in the database of records, a data record associating the combination of the third and the fourth unique identifiers (col. 32, lines 21-31 and col. 49, lines 40-58); and initiating an implementation of the second payment transaction, wherein the implementation involves a transfer of the transaction amount from a payment account associated with the second contactless payment card to a beneficiary payment account (col. 13, lines 13-17, the payment service system detects the user's intent to send money, e.g., $10, to “$funnyguy311” and initiates the transfer of money upon identification of a recipient financial account), however, the combination of references does not disclose trigger the transaction authentication communication flow by: receiving, from the second communication device, one or more card tap event parameters associated with the second contactless card tap event. However, Hefetz teaches receiving, from the second communication device, one or more card tap event parameters associated with the second contactless card tap event (Automatically broadcast means that the information is constantly broadcast, and triggered broadcast means that the information is broadcast only upon a certain action, such as pressing a button or tapping an RFID-equipped device near an RFID receiver, paragraph 107); receiving, from a risk assessment server, a transaction authorization conformation message, wherein: the transaction authorization confirmation message is transmitted by the risk assessment server based on a security assessment of the second contactless card tap event, wherein the security assessment is generated at the risk assessment server based on the received one or more card tap event parameters (After the mobile voice device owner has tapped or swiped his credit card at a POS/ATM, or has otherwise initiated a transaction, the Antifraud Assessment System checks that the mobile voice device geographical information received from the carrier/aggregator matches with the Receiver's geographical information. if the mobile voice device and the receiver's geographical information do match, the transaction is completed, paragraphs 124-128); and the transaction authorization confirmation message is transmitted by the risk assessment server in response to the security assessment comprising a positive security assessment (a confidence score is calculated to determine if the position mismatch with respect to the first and second locations is acceptable or unacceptable, and the alert is only generated if the confidence score is below a predetermined threshold, paragraph 52). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Han to include, receiving, from the second communication device, one or more card tap event parameters associated with the second contactless card tap event… the transaction authorization confirmation message is transmitted by the risk assessment server in response to the security assessment comprising a positive security assessment, as taught in Hefetz, in order to accelerate verifying identity and authenticating “tap & pay” transactions (Hefetz, paragraph 12). With regard to claims 7 and 15, Han substantially discloses the claimed invention, however, Han does not disclose the second contactless card tap event parameters comprise one or more of: one or more communication device motion parameters describing motion, movement, velocity or acceleration of the second communication device; and location parameters identifying the location of the second contactless card tap event. However, Hefetz teaches the second contactless card tap event parameters comprise one or more of: one or more communication device motion parameters describing motion, movement, velocity or acceleration of the second communication device; and location parameters identifying the location of the second contactless card tap event (the use of an identity is associated with a first time stamp. The first time stamp corresponds to the time of the associated electronic transaction (or attempted electronic transaction) performed at a first location, and wherein the step of reading a cached location is associated with a second time stamp. The speed can be calculated based on the distance between the first and second locations and the time difference between the first and second time stamps such that the first and second locations are judged not to match in geographical proximity if the speed is above a predetermined value. the Antifraud Assessment System checks that the mobile voice device geographical information received from the carrier/aggregator matches with the Receiver's geographical information. paragraphs 51 and 127). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Han to include, the second contactless card tap event parameters comprise one or more of: one or more communication device motion parameters describing motion, movement, velocity or acceleration of the second communication device; and location parameters identifying the location of the second contactless card tap event, as taught in Hefetz, in order to accelerate verifying identity and authenticating “tap & pay” transactions (Hefetz, paragraph 12). Response to Arguments Applicants' arguments filed on 02/10/2026 have been fully considered but they are not fully persuasive especially in light of the new prior art applied in the rejections. Applicants remark that “Pearce fails to describe "determine, based in part on accessing a database of records that stores combinations of payment card identifiers and communication device identifiers for payment transactions that have been previously successfully authorized, that a combination of the first unique identifier and the second unique identifier have been previously recorded in the database of records for a payment transaction that was authorized; and based on determining that the combination of the first unique identifier and the second unique identifier have been previously recorded for a payment transaction that was authorized, transmit a payment instruction to a payment network for transaction implementation without requiring further transaction authorization" as recited in the independent claims”. Examiner directs Applicants' attention to the office action above. Conclusion Please refer to form 892 for cited references. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ARIEL J YU whose telephone number is (571)270-3312. The examiner can normally be reached 11AM - 7PM (M-F). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Obeid Fahd A can be reached on 571-270-3324. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ARIEL J YU/Primary Examiner, Art Unit 3627