SYSTEMS AND METHODS FOR AUTHORIZING A TRANSACTION WITH AN UNEXPECTED CRYPTOGRAM

§101 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application is being examined under the pre-AIA first to invent provisions. Status of Claims Claims 21 and 36 are amended. Claims 1-20, 24, 30-32, 39, 45-47 and 50-58 are canceled. Claims 21-23, 25-29, 33-38, 40-44, and 48-49 are pending. Response to Remarks 35 U.S.C. § 101 Remark 1: Applicant contends that the claim does not recite a judicial exception because it is directed to a secure application-based payment card transaction authorization process by a mobile device that includes receiving unpredictable data provided by the POS, generation of a response cryptogram without using a permanent key, and APDU packaging for remote authorization Response to Remark 1: Applicant's argument is not persuasive because these features are part of the additional elements discussed in Step 2A, Prong Two. Remark 2: Applicant contends that the claim recites a particular combination of ordered steps intended to achieve a technical solution that brings about specific improvements in the underlying technology, which together improve security, reduce key exposure, and maintain interoperability with card specifications. Response to Remark 2: Examiner respectfully disagrees. What applicant contends is an improvement is merely an improvement in the recited abstract idea, and not an improvement in the functioning of computers, nor technology, nor a technical field. Moreover, a general-purpose computer would be capable of performing these same operations of a mere improvement in the abstract idea. Here, the additional elements individually and in combination, are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea (MPEP § 2106.05(f)) and generally linking the use of the abstract idea to a particular technological environment (MPEP § 2106.05(h)). The description of the additional elements evidences that they are generic and conventional elements used as tools to perform the abstract idea (See Pre-Grant Publication 0047, 0049, 0051, 0067-0091, 0148-0168, 0241, 0274-0277, 0283-0287). Accordingly, this contention is unpersuasive. Remark 3: Applicant contends that the Office has failed to meet its evidentiary burden for Step 2B. Response to Remark 3: Examiner respectfully disagrees. Step 2B determines whether the claim as a whole amount to significantly more than the abstract idea itself (MPEP § 2106.05). Evaluating additional elements to determine whether they amount to an inventive concept requires considering them both individually and in combination to ensure that they amount to significantly more than the abstract idea itself. Individually, the additional elements do not amount to significantly more than the abstract idea. As discussed previously, the description of the additional elements evidences that they are generic and conventional elements used as tools to perform the abstract idea (See Pre-Grant Publication 0047, 0049, 0051, 0067-0091, 0148-0168, 0241, 0274-0277, 0283-0287). There is nothing in the Specification to indicate that the operations recited in the claims require any specialized hardware or inventive computer components or that the claimed invention is implemented using other than generic computer components to perform generic computer functions. As such, the additional elements merely serve as a tool to perform the abstract idea and generally link the use of the abstract idea to a particular technological environment. The ordered combination recites no more than the individual elements do. Thus, the additional elements are not significantly more than the abstract idea. Accordingly, the claims are directed to the abstract idea identified above without significantly more. The claims are not eligible, warranting a rejection for lack of subject matter eligibility and concluding the eligibility analysis. Accordingly, this contention is unpersuasive. 35 U.S.C. § 112(b) Applicant’s amendments to the claims have overcome the previous rejections. Accordingly, the previous rejections are withdrawn. 35 U.S.C. § 103 Remark 4: Applicant contends that none of the paragraphs of 23, 39 and 73-78 in reference Chen describes receiving a substituted account number from a remote computer system. Response to Remark 4: Examiner respectfully disagrees. First, Applicant has ignored most of the citations provided in the Office action dated 06/17/2025. Second, the claimed substituted account number is non-functional descriptive material not functionally involved in a step/function recited. Any associated step/function would be performed the same regardless of the descriptive material since the step/function does not explicitly interact therewith. Limitations that are not functionally interrelated with the useful acts, structure, or properties of the claimed invention carry little or no patentable weight. Thus, this descriptive material will not distinguish the claimed invention from the prior art in terms of patentability. See In re Ngai, 70 USPQ2d 1862 (CAFC 2004); In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 401, 404 (Fed. Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994). Accordingly, this contention is unpersuasive. Remark 5: Applicant contends that the proposed combination of Royyuru and Chen would fundamentally conflict with Royyuru's operating principles because nothing in Royyuru suggests, contemplates, or motivates altering it's architecture to involve remote provisioning of a substituted account number. Response to Remark 5: Examiner respectfully disagrees. One or ordinary skill in the art would have been motivated to do so in order to improve security (Chen, paras 1-5). Accordingly, this contention is unpersuasive. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 21-23, 25-29, 33-38, 40-44, and 48-49 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claims 21-23, 25-29 and 33-35: Step 1 Claims 21-23, 25-29 and 33-35 are directed to a computer-implemented method (i.e., process). Therefore, these claims fall within the four statutory categories of invention, and thus must be further analyzed at Step 2A to determine if the claims are directed to a judicial exception (See MPEP 2106.03, subsection II). Step 2A Prong One In Prong One examiners evaluate whether the claim recites a judicial exception, i.e., whether a law of nature, natural phenomenon, or abstract idea is set forth or described in the claim. Claim 21 recites (i.e., sets forth or describes) an abstract idea of payment card transaction authorization. Specifically, but for the additional elements, the claim under its broadest reasonable interpretation recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The certain method of organizing human activity grouping is used to describe fundamental economic principles or practices, commercial or legal interactions, and managing personal behavior or relationships or interactions between people. Fundamental economic principles or practices are relating to the economy and commerce, or recite hedging, insurance, and mitigating risks. Commercial or legal interactions recite agreements in the form of contracts, legal obligations, advertising, marketing or sales activities or behaviors, and business relations. Managing personal behavior or relationships or interactions between people recite social activities, teaching, and following rules or instructions. See MPEP § 2106.04(a)(2), subsection II. The claim limitations reciting the abstract idea are grouped within the “certain methods of organizing human activity” grouping of abstract ideas because the limitations recite fundamental economic principles or practices, as they recite mitigating risk, commercial or legal interactions, as they recite sales activities or behaviors. More specifically, the following underlined claim elements recite the abstract idea while the non-underlined claim elements recite additional elements according to MPEP 2106.04(a). at a mobile device, executing an application in an operating system of the mobile device; receiving by the application over a wireless network from a remote computer system, a first set of data associated with an account, wherein the account is associated with an original account number, and wherein the first set of data comprises (1) a first substituted account number that is associated with but is distinct from the original account number, and (2) a first non-permanent cryptographic key associated with the account, the first non-permanent cryptographic key being different from a permanent cryptographic key associated with the account; locally storing the first substituted account number and the first non-permanent cryptographic key at the mobile device as a local cryptographic key associated with the account; and sending information to a point-of-sale (POS) terminal from the mobile device, wherein the POS terminal is configured to implement an interrogation defined by a card specification that indicates a receipt, by the POS terminal, of a cryptogram calculated using unpredictable data passed to the mobile device from the POS terminal, and wherein sending information to the POS terminal comprises: generating, by the application, a response cryptogram (1) using the local cryptographic key associated with the account for encryption, and (2) without using the permanent cryptographic key associated with the account; and sending a device response communication from the mobile device to an electronic reader through a first communications channel, the device response communication comprising an application data protocol unit containing the response cryptogram and the first substituted account number, wherein the payment card transaction initiated by the mobile device is authorized based on authentication of the APDU by the remote computer system. Step 2A Prong Two Prong Two asks does the claim recite additional elements that integrate the judicial exception into a practical application (MPEP § 2106.04(II)(A)(2)). Here, the additional elements individually and in combination, are recited at a high level of generality as generic and conventional elements merely serving as a tool to perform the abstract idea (MPEP § 2106.05(f)) and generally linking the use of the abstract idea to a particular technological environment (MPEP § 2106.05(h)). The description of the additional elements evidences that they are generic and conventional elements used as tools to perform the abstract idea (See Pre-Grant Publication 0047, 0049, 0051, 0067-0091, 0148-0168, 0241, 0274-0277, 0283-0287). These additional elements do not improve the functioning of computers, another technology, or a technical field (MPEP §§ 2106.04(d)(1) and 2106.05(a)). They do not apply the abstract idea to effect a particular treatment or prophylaxis for a disease or medical condition (MPEP § 2106.04(d)(2)). They do not implement the abstract idea with a particular machine or manufacture that is integral to the claim (MPEP § 2106.05(b)). They do not transform or reduce a particular article to a different state or thing (MPEP § 2106.05(c)). Nor do they apply the abstract idea in a meaningful way or impose a meaningful limit on it beyond linking its use to a particular technological environment (MPEP § 2106.05(e)). Such a generic computer implementation does not make the abstract idea patent eligible because a wholly generic computer implementation is not generally the sort of additional feature that provides any practical assurance that the process is more than a drafting effort designed to monopolize the abstract idea itself. The Specification and the claim language provide evidence that the focus of the claim is not on a specific improvement in technology but rather on a scheme, for which generic and conventional elements are invoked merely as a tool to implement the abstract idea and link it to a particular field of use. Even if the Specification describes technical improvements, they are not claimed. Thus, the additional elements do not integrate the abstract idea into a practical application. Accordingly, the claims are directed to the abstract idea identified above. Step 2B Step 2B determines whether the claim as a whole amount to significantly more than the abstract idea itself (MPEP § 2106.05). Evaluating additional elements to determine whether they amount to an inventive concept requires considering them both individually and in combination to ensure that they amount to significantly more than the abstract idea itself. Individually, the additional elements do not amount to significantly more than the abstract idea. As discussed previously, the description of the additional elements evidences that they are generic and conventional elements used as tools to perform the abstract idea (See Pre-Grant Publication 0047, 0049, 0051, 0067-0091, 0148-0168, 0241, 0274-0277, 0283-0287). There is nothing in the Specification to indicate that the operations recited in the claims require any specialized hardware or inventive computer components or that the claimed invention is implemented using other than generic computer components to perform generic computer functions. As such, the additional elements merely serve as a tool to perform the abstract idea and generally link the use of the abstract idea to a particular technological environment. The ordered combination recites no more than the individual elements do. Thus, the additional elements are not significantly more than the abstract idea. Accordingly, the claims are directed to the abstract idea identified above without significantly more. The claims are not eligible, warranting a rejection for lack of subject matter eligibility and concluding the eligibility analysis. Dependent Claims Claims 22-23, 25-29 and 33-35 have also been analyzed. However, the subject matter of these claims also fails to recite patent eligible subject matter for the following reasons: Claim 22 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein sending information to the POS terminal comprises generating, by the application, the response cryptogram without using the unpredictable data passed to the mobile device from the POS terminal. Claim 23 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein the original account number is an original account number embedded in track data of a payment card issued to a user of the mobile device, and wherein the first substituted account number is associated with or derived from the original account number. Claim 25 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein the device response communication does not include the original account number. Claim 26 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein the first substituted account number is configured to be used for a single transaction. Claim 27 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein the original account number is unidentifiable from the device response communication. Claim 28 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein the device response communication comprises dynamically generated Track 1 and/or Track 2 data comprising the first substituted account number. Claim 29 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. receiving by the application over the wireless network from the remote computer system, a second set of data associated with the account, the second set of data comprising (1) a second substituted account number that is associated with but is distinct from the original account number, and (2) a second non-permanent cryptographic key associated with the account; and storing the received second non-permanent cryptographic key as the local cryptographic key associated with the account. Claim 33 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein the first non-permanent cryptographic key and second non-permanent cryptographic key are associated with a remote payment authorization process. Claim 34 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. in which the first non-permanent cryptographic key and the second non-permanent cryptographic key are generated based on an issuer master key. Claim 35 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. at the remote computer system: upon request by an end user authenticated to the account and prior to the mobile device sending the response cryptogram to the POS terminal, generating the first substituted account number and the first non-permanent cryptographic key, associating the first substituted account number and the first non-permanent cryptographic key with the account, and sending the first substituted account number and the first non-permanent cryptographic key to the mobile device over the wireless network; and subsequent to the mobile device sending the response cryptogram to the POS terminal, or at a later specified by the remote computer system, or at a time initiated by the end user, generating a second substituted account number and a second non-permanent cryptographic key, associating the second substituted account number and the second non-permanent cryptographic key with the account and sending the second substituted account number and the second non-permanent cryptographic key to the mobile device over the wireless network. Claims 36-38, 40-44 and 48-49: Step 1 Claims 36-38, 40-44 and 48-49 are directed to a computer-implemented system (i.e., machine, and manufacture). Therefore, these claims fall within the four statutory categories of invention, and thus must be further analyzed at Step 2A to determine if the claims are directed to a judicial exception (See MPEP 2106.03, subsection II). Step 2A Prong One In Prong One examiners evaluate whether the claim recites a judicial exception, i.e., whether a law of nature, natural phenomenon, or abstract idea is set forth or described in the claim. Claim 36 recites (i.e., sets forth or describes) an abstract idea of payment card transaction authorization. Specifically, but for the additional elements, the claim under its broadest reasonable interpretation recites limitations grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The certain method of organizing human activity grouping is used to describe fundamental economic principles or practices, commercial or legal interactions, and managing personal behavior or relationships or interactions between people. Fundamental economic principles or practices are relating to the economy and commerce, or recite hedging, insurance, and mitigating risks. Commercial or legal interactions recite agreements in the form of contracts, legal obligations, advertising, marketing or sales activities or behaviors, and business relations. Managing personal behavior or relationships or interactions between people recite social activities, teaching, and following rules or instructions. See MPEP § 2106.04(a)(2), subsection II. The claim limitations reciting the abstract idea are grouped within the “certain methods of organizing human activity” grouping of abstract ideas because the limitations recite fundamental economic principles or practices, as they recite mitigating risk, commercial or legal interactions, as they recite sales activities or behaviors. More specifically, the following underlined claim elements recite the abstract idea while the non-underlined claim elements recite additional elements according to MPEP 2106.04(a). a mobile device comprising: a wireless interface to connect to a wireless network that is separate from a communications channel over which communications are received by the mobile device; one or more processors; and a non-transitory computer readable storage medium accessible by the one or more processors, the computer readable storage medium storing an application executable in an operating system of the mobile device to: receive over the wireless network from a remote computer system, a first set of data associated with an account, wherein the account is associated with an original account number, and wherein the first set of data comprises (1) a first substituted account number that is associated with but is distinct from the original account number, and (2) a first non- permanent cryptographic key associated with the account, the first non-permanent cryptographic key being different from a permanent cryptographic key associated with the account; store the first substituted account number and the first non-permanent cryptographic key at the mobile device as a local cryptographic key associated with the account; generate a response cryptogram (1) using the local cryptographic key associated with the account for encryption, and (2) without accessing the permanent cryptographic key associated with the account; and send a device response communication from the mobile device to an electronic reader of a point-of-sale (POS) terminal through the communications channel, wherein the POS terminal is configured to implement an interrogation defined by a card specification that indicates a receipt, by the POS terminal, of a cryptogram calculated using unpredictable data passed to the mobile device from the POS terminal, and wherein the device response communication comprises an application data protocol unit (APDU) containing the response cryptogram and the first substituted account number, wherein the payment card transaction initiated by the mobile device is authorized based on authentication of the APDU by the remote computer system. Step 2A Prong Two Prong Two asks does the claim recite additional elements that integrate the judicial exception into a practical application (MPEP § 2106.04(II)(A)(2)). Here, the additional elements individually and in combination, are recited at a high level of generality as generic and conventional elements merely serving as a tool to perform the abstract idea (MPEP § 2106.05(f)) and generally linking the use of the abstract idea to a particular technological environment (MPEP § 2106.05(h)). The description of the additional elements evidences that they are generic and conventional elements used as tools to perform the abstract idea (See Pre-Grant Publication 0047, 0049, 0051, 0067-0091, 0148-0168, 0241, 0274-0277, 0283-0287). These additional elements do not improve the functioning of computers, another technology, or a technical field (MPEP §§ 2106.04(d)(1) and 2106.05(a)). They do not apply the abstract idea to effect a particular treatment or prophylaxis for a disease or medical condition (MPEP § 2106.04(d)(2)). They do not implement the abstract idea with a particular machine or manufacture that is integral to the claim (MPEP § 2106.05(b)). They do not transform or reduce a particular article to a different state or thing (MPEP § 2106.05(c)). Nor do they apply the abstract idea in a meaningful way or impose a meaningful limit on it beyond linking its use to a particular technological environment (MPEP § 2106.05(e)). Such a generic computer implementation does not make the abstract idea patent eligible because a wholly generic computer implementation is not generally the sort of additional feature that provides any practical assurance that the process is more than a drafting effort designed to monopolize the abstract idea itself. The Specification and the claim language provide evidence that the focus of the claim is not on a specific improvement in technology but rather on a scheme, for which generic and conventional elements are invoked merely as a tool to implement the abstract idea and link it to a particular field of use. Even if the Specification describes technical improvements, they are not claimed. Thus, the additional elements do not integrate the abstract idea into a practical application. Accordingly, the claims are directed to the abstract idea identified above. Step 2B Step 2B determines whether the claim as a whole amount to significantly more than the abstract idea itself (MPEP § 2106.05). Evaluating additional elements to determine whether they amount to an inventive concept requires considering them both individually and in combination to ensure that they amount to significantly more than the abstract idea itself. Individually, the additional elements do not amount to significantly more than the abstract idea. As discussed previously, the description of the additional elements evidences that they are generic and conventional elements used as tools to perform the abstract idea (See Pre-Grant Publication 0047, 0049, 0051, 0067-0091, 0148-0168, 0241, 0274-0277, 0283-0287). There is nothing in the Specification to indicate that the operations recited in the claims require any specialized hardware or inventive computer components or that the claimed invention is implemented using other than generic computer components to perform generic computer functions. As such, the additional elements merely serve as a tool to perform the abstract idea and generally link the use of the abstract idea to a particular technological environment. The ordered combination recites no more than the individual elements do. Thus, the additional elements are not significantly more than the abstract idea. Accordingly, the claims are directed to the abstract idea identified above without significantly more. The claims are not eligible, warranting a rejection for lack of subject matter eligibility and concluding the eligibility analysis. Dependent Claims Claims 37-38, 40-44 and 48-49 have also been analyzed. However, the subject matter of these claims also fails to recite patent eligible subject matter for the following reasons: Claim 37 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein the application is executable in the operating system of the mobile device to generate the response cryptogram without using the unpredictable data passed to the mobile device from the POS terminal. Claim 38 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein the original account number is an original account number embedded in track data of a payment card issued to a user of the mobile device, and wherein the first substituted account number is associated with or derived from the original account number. Claim 40 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein the device response communication does not include the original account number. Claim 41 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein the first substituted account number is configured to be used for a single transaction. Claim 42 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein the original account number is unidentifiable from the device response communication. Claim 43 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein the device response communication comprises dynamically generated Track 1 and/or Track 2 data comprising the first substituted account number. Claim 44 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein the application is further executable to: receive over the wireless network from the remote computer system, a second set of data associated with the account, the second set of data comprising (1) a second substituted account number that is associated with but is distinct from the original account number, and (2) a second non-permanent cryptographic key associated with the account; and store the received second non-permanent cryptographic key at the mobile device as the local cryptographic key associated with the account to change the local cryptographic key associated with the account. Claim 48 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. wherein the first non-permanent cryptographic key and the second non-permanent cryptographic key are generated based on an issuer master key. Claim 49 recites an abstract idea because the claim describes payment card transaction authorization, grouped within the “certain methods of organizing human activity” grouping of abstract ideas. The additional elements do not integrate the abstract idea into a practical application because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. The additional elements are not significantly more than the abstract idea because individually and in combination, the additional elements are recited at a high level of generality as generic and conventional computers and components merely serving as a tool to perform the abstract idea and generally linking the use of the abstract idea to a particular technological environment. Therefore, the claim is not eligible. The following underlined claim limitations recite the abstract idea. The non-underlined claim limitations recite additional elements. the remote computer system, the remote computer system configured to generate non-permanent cryptographic keys associated with the account and send the non-permanent cryptographic keys associated with the account to the mobile device over the wireless network. Claim Rejections - 35 USC § 103 The following is a quotation of pre-AIA 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action: (a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 21-23, 25-29, 33-34, 36-38, 40-44, and 48-49 are rejected under 35 U.S.C. 103 as being unpatentable over US 2010/0185545 A1 to Royyuru et al. (hereinafter “Royyuru”) in view of US 2007/0297610 A1 to Chen et al. (hereinafter “Chen”). Claims 21 and 36: Royyuru discloses a method and system comprising: a mobile device comprising: a wireless interface to connect to a wireless network that is separate from a communications channel over which communications are received by the mobile device; one or more processors; and a non-transitory computer readable storage medium accessible by the one or more processors, the computer readable storage medium storing an application executable in an operating system of the mobile device to (Fig.3 item 305; paras 21, 35, 46, 51) at a mobile device (Fig.3 item 305; paras 21, 35, 46, 51), executing an application (Fig.2 item 250; paras 43, 51) in an operating system of the mobile device (Fig.2 item 245; para 43) locally storing the first substituted account number and the first non-permanent cryptographic key at the mobile device as a local cryptographic key associated with the account (paras 33, 46, 51) sending information to a point-of-sale (POS) terminal from the mobile device (paras 47, 54) wherein the POS terminal is configured to implement an interrogation defined by a card specification that indicates a receipt, by the POS terminal, of a cryptogram calculated using unpredictable data passed to the mobile device from the POS terminal, and (para 44) wherein sending information to the POS terminal comprises: (paras 47, 54) generating, by the application, a response cryptogram (1) using the local cryptographic key associated with the account for encryption, and (2) without using a permanent cryptographic key associated with the account (paras 33, 46-47, 51, 54) sending a device response communication from the mobile device to an electronic reader through a first communications channel, the device response communication comprising an application data protocol unit containing the response cryptogram and the first substituted account number, wherein the payment card transaction initiated by the mobile device is authorized based on authentication of the APDU by the remote computer system (paras 47, 54) Royyuru does not disclose: receiving by the application over a wireless network from a remote computer system, a first set of data associated with an account, wherein the account is associated with an original account number, and wherein the first set of data comprises (1) a first substituted account number that is associated with but is distinct from the original account number, and (2) a first non-permanent cryptographic key associated with the account, the first non-permanent cryptographic key being different from a permanent cryptographic key associated with the account Chen, an analogous art of mobile encryption, discloses: receiving by the application (paras 23, 25) over a wireless network (Fig.1 item 106, Fig.2 item 204; paras 22, 24, 41) from a remote computer system (Fig.1 item 102, Fig.2 item 202, Fig.3 item 302, Fig.4 item 402; paras 20-21, 24, 41, 48, 53), a first set of data associated with an account, wherein the account is associated with an original account number, and wherein the first set of data comprises (1) a first substituted account number that is associated with but is distinct from the original account number, and (2) a first non-permanent cryptographic key associated with the account, the first non-permanent cryptographic key being different from a permanent cryptographic key associated with the account (paras 23, 39, 73-78) It would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method and system of Royyuru to include receiving by the application over a wireless network from a remote computer system, a first set of data associated with an account, wherein the account is associated with an original account number, and wherein the first set of data comprises (1) a first substituted account number that is associated with but is distinct from the original account number, and (2) a first non-permanent cryptographic key associated with the account, as disclosed in Chen. One or ordinary skill in the art would have been motivated to do so in order to improve security (Chen, paras 1-5). Claims 22 and 37: The combination of Royyuru in view of Chen discloses all limitations of claims 21 and 36. Royyuru further discloses: wherein sending information to the POS terminal comprises generating, by the application, the response cryptogram without using the unpredictable data passed to the mobile device from the POS terminal. (paras 33, 46-47, 51, 54) Claims 23 and 38: The combination of Royyuru in view of Chen discloses all limitations of claims 21 and 36. Chen further discloses: wherein the original account number is an original account number embedded in track data of a payment card issued to a user of the mobile device, and wherein the first substituted account number is associated with or derived from the original account number. (paras 23, 39, 73-78) It would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method and system of Royyuru to include wherein the original account number is an original account number embedded in track data of a payment card issued to a user of the mobile device, and wherein the first substituted account number is associated with or derived from the original account number, as disclosed in Chen. One or ordinary skill in the art would have been motivated to do so in order to improve security (Chen, paras 1-5). Claims 25 and 40: The combination of Royyuru in view of Chen discloses all limitations of claims 21 and 36. Royyuru further discloses: wherein the device response communication does not include the original account number. (paras 47, 54) Claims 26 and 41: The combination of Royyuru in view of Chen discloses all limitations of claims 21 and 36. Chen further discloses: wherein the first substituted account number is configured to be used for a single transaction. (paras 23, 39, 73-78) It would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method and system of Royyuru to include wherein the first substituted account number is configured to be used for a single transaction, as disclosed in Chen. One or ordinary skill in the art would have been motivated to do so in order to improve security (Chen, paras 1-5). Claims 27 and 42: The combination of Royyuru in view of Chen discloses all limitations of claims 21 and 36. Royyuru further discloses: wherein the original account number is unidentifiable from the device response communication. (paras 47, 54) Claims 28 and 43: The combination of Royyuru in view of Chen discloses all limitations of claims 21 and 36. Royyuru further discloses: wherein the device response communication comprises dynamically generated Track 1 and/or Track 2 data comprising the first substituted account number (paras 47, 54) Claims 29 and 44: The combination of Royyuru in view of Chen discloses all limitations of claims 21 and 36. Chen further discloses: receiving by the application (paras 23, 25) over the wireless network (Fig.1 item 106, Fig.2 item 204; paras 22, 24, 41) from the remote computer system (Fig.1 item 102, Fig.2 item 202, Fig.3 item 302, Fig.4 item 402; paras 20-21, 24, 41, 48, 53), a second set of data associated with the account, the second set of data comprising (1) a second substituted account number that is associated with but is distinct from the original account number, and (2) a second non-permanent cryptographic key (paras 23, 39, 73-78) associated with the account (para 23) storing the received second non-permanent cryptographic key as the local cryptographic key associated with the account (paras 35, 39, 73-78) It would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method and system of Royyuru to include receiving by the application over the wireless network from the remote computer system, a second set of data associated with the account, the second set of data comprising (1) a second substituted account number that is associated with but is distinct from the original account number, and (2) a second non-permanent cryptographic key associated with the account; and storing the received second non-permanent cryptographic key as the local cryptographic key associated with the account, as disclosed in Chen. One or ordinary skill in the art would have been motivated to do so in order to improve security (Chen, paras 1-5). Claim 33: The combination of Royyuru in view of Chen discloses all limitations of claim 29. Royyuru further discloses: wherein the first non-permanent cryptographic key … are associated with a remote payment authorization process (paras 47-48, 50, 52, 55) Chen further discloses: and second non-permanent cryptographic key (paras 73-78) It would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method of Royyuru to include a second non-permanent cryptographic key, as disclosed in Chen. One or ordinary skill in the art would have been motivated to do so in order to improve security (Chen, paras 1-5). Claims 34 and 48: The combination of Royyuru in view of Chen discloses all limitations of claims 29 and 44. Royyuru further discloses: in which the first non-permanent cryptographic key … are generated based on an issuer master key (paras 33, 46, 51) Chen further discloses: and the second non-permanent cryptographic key (paras 73-78) It would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method of Royyuru to include a second non-permanent cryptographic key, as disclosed in Chen. One or ordinary skill in the art would have been motivated to do so in order to improve security (Chen, paras 1-5). Claim 49: The combination of Royyuru in view of Chen discloses all limitations of claim 36. Royyuru further discloses: the remote computer system, the remote computer system configured to generate non-permanent cryptographic keys associated with the account and send the non-permanent cryptographic keys associated with the account to the mobile device over the wireless network. (paras 33, 46, 51) Conclusion The following prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 8,374,916 B2 to White discloses: Devices, systems and methods are disclosed which relate to securing payments from a mobile communications device. In exemplary embodiments, a mobile communications device communicates with a payment server via a point-of-sale device to conduct a transaction. The mobile communications device uses a client payment logic to send payment information to the point-of-sale device. The point-of-sale device uses a vendor payment logic to forward the payment information to the payment server. The payment server verifies the payment information and sends confirmation to the point-of-sale device. US 2010/0153721 A1 to Mellqvist discloses: Portable electronic devices are provided including a virtual secure element module configured to access a remote secure element server. The virtual secure element module being configured to access the remote secure element server from the portable electronic device to provide a predetermined level of security for secure transactions. Related systems, methods and computer program products are also provided. US 11,080,693 B2 to Fiske discloses: Methods, apparatus and computer software are provided for authorizing an EMV transaction between a user device and a point of sale terminal, particularly, but not exclusively, in situations where a secure element is not made available for the deployment of a payment application on the user device. The payment application is instead deployed to a processing environment that is outside of any secure element on the user device. An ICC Master Key corresponding to the payment application is held by a trusted authority, such as the issuing bank. The trusted authority is adapted generate time-limited session keys on the basis of the ICC Master Key and distribute session keys to the payment application. Receipt of a session key by the payment application enables the payment application to conduct an EMV payment transaction. The session key is used to authorize a single EMV payment transaction. US 2011/0078245 A1 to Kiffer discloses: The invention relates to a method for transferring at least one piece of application data from a source device to a destination device. According to the invention, the source device including at least one piece of identification data, the piece of identification data identifying an account number and a medium storing at least one piece of application data, the method including a sending step in which the source device sends at least the piece of identification data to a transfer control device; a processing step in which the transfer control device and/or another device connected to the transfer control device processes at least the piece of identification data; according to a processing result, the transfer control device forbids or authorizes to transfer at least one piece of application data to the destination device by transferring, when authorized, to the destination device at least the piece of identification data. The invention also relates to a corresponding system for controlling a transfer of at least one piece of application data. US 2012/0074219 A1 to Burdett discloses: A payment device—payment device reader combination obtains issuer token data that was generated by an issuer entity from: input data, and an issuer application cryptogram based on the input data and a session key. The issuer token data is disassembled by the payment device—payment device reader combination to obtain the input data and the issuer application cryptogram, and the payment device—payment device reader combination computes a payment device application cryptogram based on the input data and the session key. This is compared, by the payment device—payment device reader combination, to the issuer application cryptogram. If the payment device application cryptogram matches the issuer application cryptogram, at least one action is allowed to take place on the payment device. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ari Shahabi whose telephone number is (571)272-2565. The examiner can normally be reached M-F: 8:00-5:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John W Hayes can be reached at 571-272-6708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ARI SHAHABI/Primary Examiner, Art Unit 3697