SYSTEM AND METHODS FOR OBTAINING REAL-TIME CARDHOLDER AUTHENTICATION OF A PAYMENT TRANSACTION

DETAILED ACTION Acknowledgements This Office Action is in response to Applicant’s correspondence filed on 1/6/26. The Examiner notes that citations to United States Patent Application Publication paragraphs are formatted as [####], #### representing the paragraph number. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Status of Claims Claims 1-20 are currently pending. Claims 1-20 are rejected as set forth below. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Claim Rejections - 35 U.S.C. § 103 Applicant’s arguments with respect to claims 1-20 have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent Application Publication No. 20090187492 to Hammad in view of United States Patent Application Publication No. 20170061441 to Kamal and United States Patent Application Publication No. 20150170136 to Patel. As per claims 1, 11¸ Hammad teaches: A method for obtaining real-time cardholder authentication of a payment transaction based on geolocation, said method comprising: receiving, from a point-of-sale terminal, a payment authorization request message including a primary account number corresponding to a payment account of a cardholder and location data corresponding to a physical location of the point-of-sale terminal; ([0032], “The access device 34 can then generate an authorization request message. The authorization request message may include information such as the transaction amount, a merchant identifier, CVV (card verification value), PAN (primary account number), and other information. The authorization request message is then forwarded to the acquirer 24. After receiving the authorization request message, the authorization request message is then sent to the server computer 26(a) in the payment processing network 26.”; [0034], “The server computer 26(a) may determine the location of the merchant 22 by determining a physical address or geographic coordinates that correspond to the merchant identifier received in the authorization request message.”) identifying the physical location of the point-of-sale terminal based on the location data included in the payment authorization request message; identifying a location of a mobile device of the cardholder; comparing the identified location of the mobile device to the identified physical location of the point-of-sale terminal; ([0033]-[0034], “At some point in time, the mobile communication device 32 can send its location information directly to the server computer 26(a) in the payment processing network 26, or the GPS system 36 may send the mobile communication device location information to the server computer 26(a) in the payment processing network 26. The server computer 26(a) in the payment processing network 26 can then determine if the portable consumer device and/or the consumer is authentic. The server computer 26(a) can compare the location information received from the mobile communication device 32 with the location of the merchant 22. The server computer 26(a) may determine the location of the merchant 22 by determining a physical address or geographic coordinates that correspond to the merchant identifier received in the authorization request message.”) transmitting an authentication request message to the mobile device; ([0034], “Alternatively, the server computer 26(a) may call the consumer 30 on the mobile communication device 32 and may attempt to authenticate the consumer 30 using challenge questions or the like.”) determining a comparison between the identified location of the mobile device and the identified physical location of point-of-sale terminal; upon the comparison being determined to be different, determining whether an authentication response message was received from the mobile device; ([0033]-[0034], “The server computer 26(a) can compare the location information received from the mobile communication device 32 with the location of the merchant 22. The server computer 26(a) may determine the location of the merchant 22 by determining a physical address or geographic coordinates that correspond to the merchant identifier received in the authorization request message. If the location information received from the two different sources matches, then the server computer 26(a) can determine that the transaction is authentic. If the location information received from the two different sources does not match, then the server computer 26(a) can determine that the transaction is not authentic. For example, if the merchant is located in Los Angeles, and the location of the mobile communication device 32 is in New York, then the server computer 26(a) may determine that the consumer 30 or the portable consumer device is not authentic. Alternatively, the server computer 26(a) may call the consumer 30 on the mobile communication device 32 and may attempt to authenticate the consumer 30 using challenge questions or the like.”) if the authentication response message was not received from the mobile device, populating a field of the payment authorization request message with a decline code; based on the determination that the authentication response message was received, releasing the hold on the payment authorization request message; ([0035], “The payment processing network 26 may then forward the authorization request message including its determination as to whether or not the transaction is authentic to the issuer 28.”) forwarding the payment authorization request message to an issuer associated with the primary account number; ([0035])) transmitting the payment authorization request message to an acquirer as a payment authorization response message. ([0036], “The payment processing network 26 then forwards the authorization response message back to the acquirer 24.”) Hammad does not explicitly teach, but Kamal teaches: the mobile device including a secondary authentication application configured to provide the location of the mobile device; ([0022], “As shown in FIG. 1A, the consumer mobile device 102 has a number of logical and/or functional components (in addition to the normal components typically found in a mobile device, such as an antenna, mobile device microprocessor(s), one or more memory devices and the like, which will be explained below). As shown, some of the components include a mobile application and/or browser 106, which may be provided by a payment network provider such as MasterCard International Incorporated, an authenticator application programming interface (API) 108, and at least one sensor 110.”; [0027], “The mobile telephone 102 may also include Global Positioning System (GPS) circuitry 144 operably connected to the main processor 122, and operable to generate information concerning the location of the mobile telephone.”) determining that the payment account requires secondary authentication of the payment transaction by the cardholder; placing the payment transaction on hold based on the determination that the payment account requires secondary authentication of the payment transaction; while the payment transaction is on hold, transmitting an authentication request message to the mobile device; ([0033], “Referring again to FIG. 1A, if the mobile application/browser 106 is authorized, the user is then prompted (for example, by a message displayed on a display screen of the consumer's Smartphone) to provide one or more forms of biometric data by using the sensor(s) 110 found on the consumer's mobile device 102. For example, predetermined business rules concerning user authentication for a purchase exceeding one hundred dollars ($100) may require a consumer to provide two forms of biometric data (for example, a fingerprint and a voice print). In this case, a fingerprint sensor and a microphone each captures, performs a matching process, and then stores the biometric data itself. If a match occurs for the captured user biometric data (both the fingerprint data and the voice print data) and the biometric template(s) (which have been generated and stored on the sensor(s) during user authentication enrollment and device registration) then an authentication response is transmitted back to the mobile application/browser 106 via the authenticator API 108 for forwarding to the issuer FI 104A (or to another trusted calling party which made the authentication request, such as the Token issuer 104B).”) One of ordinary skill in the art would have recognized that applying the known technique of Kamal to the known invention of Hammad would have yielded predictable results and resulted in an improved invention. It would have been recognized that the application of the technique would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such payment authentication features into a similar invention. Further, it would have been recognized by those of ordinary skill in the art that modifying the mobile device includes a secondary authentication application configured to provide the location of the mobile device and modifying the invention to determine whether the payment account requires secondary authentication of the payment transaction by the cardholder and place the payment transaction on hold if, based on the determination, the payment account requires secondary authentication of the payment transaction, results in an improved invention because applying said technique ensures that the transaction is securely authenticated via the additional secondary authentication, thus improving the overall security of the invention. Hammad as modified does not explicitly teach, but Patel teaches: determining that a difference between the identified location of the mobile device and the identified physical location of point-of-sale terminal is below a predefined threshold distance; monitoring the difference while the payment transaction is on hold until it exceeds the predetermined threshold distance; upon the difference exceeding the predetermined threshold distance, determining that an authentication response message was not received from the mobile device as of a time when the difference exceeds the predetermined threshold distance; ([0180]-[0183], “The payment module 100 sends (1258), via a short-range communication capability (e.g., BLE), the first transaction information to the first mobile device 150-1 to send to the server 130 in order to acknowledge the first transaction. For example, the connection between the first mobile device 150-1 and the payment module 100 is interrupted when the first user 1251-1 turns off the first mobile device 150-1, the first user 1251-1 turns the first mobile device 150-1 into airplane mode, the first user 1251-1 walks away out of the communication zone (i.e., BLE range) of the payment module 100, the first mobile device 150-1 otherwise loses its long-range communication connection, or the first mobile device 150-1 otherwise loses power. In some implementations, the first user 1251-1 is be blocked by the payment module 100 from performing any additional transactions until the payment module 100 receives an acknowledgement from the server 130 via any connection (e.g., from the second user 1251-2). In some implementations, the server 130 denies or limits the number of authorization grants sent to the first mobile device 150-1 until it has received transaction information or cancellation of authorization outstanding authorization grants sent to the first mobile device 150-1.) One of ordinary skill in the art would have recognized that applying the known technique of Patel to the known invention of Hammad as modified would have yielded predictable results and resulted in an improved invention. It would have been recognized that the application of the technique would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such location authentication features into a similar invention. Further, it would have been recognized by those of ordinary skill in the art that modifying the step of comparing the locations of the mobile device and the point-of-sale terminal to determine that a difference between the identified location of the mobile device and the identified physical location of point-of-sale terminal is below a predefined threshold distance, monitor the difference until it exceeds the predetermined threshold distance, and upon the difference exceeding the predetermined threshold distance, determining that an authentication response message was not received from the mobile device as of a time when the difference exceeds the predetermined threshold distance, results in an improved invention because applying said technique provides a more accurate and granular way to determine the difference between the locations of the mobile device and the point-of-sale terminal and prevent unauthorized transactions, thus improving the overall security of the invention. As per claims 2, 12¸ Hammad teaches: wherein identifying the location of the mobile device comprises obtaining location information by one or more of the following: a global positioning system service, ping data that includes geotemporal data, and from cell location register information held by a telecommunications provider to which the mobile device is connected. ([0016], “A global positioning system (GPS) associated with the mobile communication device may also be used to identify the location of the mobile communication device.”) As per claims 3, 13¸ Hammad teaches: wherein receiving, from the point-of-sale terminal, the payment authorization request message comprises intercepting the payment authorization request message transmitted from the point-of-sale terminal. ([0030]-[0032], “If the access device 34 is a POS terminal, any suitable POS terminal may include a reader 34(a), a processor 34(b) and a computer readable medium 34(c). The access device 34 can then generate an authorization request message. The authorization request message may include information such as the transaction amount, a merchant identifier, CVV (card verification value), PAN (primary account number), and other information. The authorization request message is then forwarded to the acquirer 24. After receiving the authorization request message, the authorization request message is then sent to the server computer 26(a) in the payment processing network 26.”) As per claims 4, 14¸ Hammad teaches: wherein the method is performed by a secondary authentication system that is a component of an interchange network. ([0025], “The payment processing network 26 may include data processing subsystems, networks, and operations used to support and deliver authorization services, exception file services, and clearing and settlement services. An exemplary payment processing network may include VisaNet.TM.. Payment processing networks such as VisaNet.TM. are able to process credit card transactions, debit card transactions, and other types of commercial transactions.”) As per claims 5, 15¸ Hammad teaches: wherein intercepting the payment authorization request message comprises intercepting the payment authorization request message intended for the interchange network. ([0030]-[0032]) As per claims 6, 17¸ Kamal teaches: receiving, from the secondary authentication application executing on the mobile device associated with the cardholder: account registration information, the account registration information including the primary account number and mobile device identification data corresponding to the mobile device; account credentials comprising a login identifier and a password; a biometric profile of the cardholder, the biometric profile including a digital representation of a select physical feature of the cardholder; and a secondary authentication restriction; generating a new cardholder account, the new cardholder account including the account registration information, the account credentials, and the secondary authentication restriction; and storing the new cardholder account and the biometric profile. ([0029]-[0031], “In some embodiments, a consumer or user or cardholder may be required to participate in a consumer mobile device registration and user authentication enrollment process before user authentication processing in accordance with methods described herein can occur. In some implementations, such a registration process may include a user or consumer or cardholder operating his or her consumer mobile device to interact with one or more payment processing systems or networks (not shown). For example, in a payment processing network example, a cardholder may register information associated with a financial institution associated with the user's or cardholder's payment account (such as a credit card issuer bank which issued a credit card account and/or a debit card account to the user or consumer). The payment processing network server may then generate and transmit a consumer registration request challenge message to the consumer's mobile device prompting the user to provide biometric data for use in authentication of that user. As part of the user enrollment process, the user may transmit a consumer device identifier (ID) and/or a mobile directory number (“MDN”) from the consumer mobile device to an entity, such as a payment processing network server or issuer financial institution. In the system configuration shown in FIG. 1A, the biometric data (which may include, for example, one or more of user fingerprint biometric data, a voice print, facial data, and other data such as pulse data or the like), the device ID, and the MDN are stored on or by the sensor itself so that this data may be retrieved and utilized by the user's mobile device as needed when performing user authentication processing.”; [0033]) As per claims 7, 18¸ Kamal teaches: wherein determining that the payment account requires secondary authentication of the payment transaction comprises determining that the payment transaction requires secondary authentication based on the secondary authentication restriction. ([0033]) As per claims 8, 19¸ Kamal teaches: identifying the mobile device associated with the new cardholder account based on the mobile device identification data. ([0031]) As per claim 9¸ Kamal teaches: wherein placing the payment transaction on hold comprises: interrupting a normal transaction process; and storing the payment authorization request message. ([0033]) As per claims 10, 20¸ Kamal teaches: wherein transmitting the authentication request message to the mobile device comprises pushing the authentication request message to a secondary authentication application installed at least partially on the mobile device, the authentication request message causing the mobile device to display a notification indicating that the authentication request message is received. ([0033], “Referring again to FIG. 1A, if the mobile application/browser 106 is authorized, the user is then prompted (for example, by a message displayed on a display screen of the consumer's Smartphone) to provide one or more forms of biometric data by using the sensor(s) 110 found on the consumer's mobile device 102. For example, predetermined business rules concerning user authentication for a purchase exceeding one hundred dollars ($100) may require a consumer to provide two forms of biometric data (for example, a fingerprint and a voice print).”) As per claim 16¸ Hammad teaches: wherein forwarding the payment authorization request message to the issuer comprises forwarding the payment authorization request message to the interchange network such that the interchange network forwards the payment authorization request message to the issuer. ([0034]-[0035]) Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: United States Patent Application Publication No. 20130268378 to Yovin discloses an invention for performing a transaction involving a mobile communication device. The method includes receiving at a terminal a transaction request from the mobile communication device over a short-range communication link. An authorization request is sent to an authorizing agent requesting approval to complete the transaction in response to receipt of the transaction request. Approval to complete the transaction is received if the mobile communication device has been determined to be located within a predetermined distance of the terminal. The transaction with the mobile communication device is only completed after receiving the approval. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAY HUANG whose telephone number is (408)918-9799. The examiner can normally be reached 9:00a - 5:30p PT. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Anita Coupe can be reached at (571) 270-3614. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JAY HUANG/Primary Examiner, Art Unit 3619