Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsMastercard International Incorporated › 18762503
Last updated: April 19, 2026
Application No. 18/762,503

SYSTEMS AND METHODS FOR LINKING VERIFICATION OF ATTRIBUTES IN CONNECTION WITH NETWORK TRAFFIC

Final Rejection §103
Filed
Jul 02, 2024
Examiner
HO, VIVIAN DANG
Art Unit
2497
Tech Center
2400 — Computer Networks
Assignee
Mastercard International Incorporated
OA Round
2 (Final)
Grant Probability
Favorable
3-4
OA Rounds
3y 1m
To Grant

Examiner Intelligence

HO, VIVIAN DANG View full profile →
Grants only 0% of cases
0%
Career Allow Rate
0 granted / 0 resolved
-58.0% vs TC avg
Minimal +0% lift
Without
With
+0.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 1m
Avg Prosecution
4 currently pending
Career history
4
Total Applications
across all art units

Statute-Specific Performance

§103
80.0%
+40.0% vs TC avg
§102
10.0%
-30.0% vs TC avg
§112
10.0%
-30.0% vs TC avg
Black line = Tech Center average estimate • Based on career data from 0 resolved cases

Office Action

§103
DETAILED ACTION Response to Amendment The Amendment filed on 02/19/2026 has been entered. Claims 6 and 14 are pending. Claims 1-5, 7-13, 15-18 remained rejected. Applicant’s amendments to the Specifications, Drawings, and Claims have overcome the objections previously set forth in the Non-Final Office Action mailed 11/19/2025. Specification Applicant’s amendments to the specifications filed on 02/19/2026 have been reconsidered. Applicant’s amendments to the specifications have been accepted and overcome to the objections of the drawings. Objections to the drawings have been withdrawn. Drawings Applicant’s amendments to the drawings filed on 02/19/2026 have been reconsidered. Applicant’s amendments to the specifications have been accepted and overcome to the objections of the drawings. Objections to the drawings have been withdrawn. Response to Objections Applicant’s amendments to the specifications filed on 02/19/2026 have been considered. Applicant’s amendments to the specifications have been accepted and overcome to the objections of the drawings. Objections to the drawings have been withdrawn. Response to Arguments Applicant’s arguments with respect to the amended claims, filed 02/19/2026, have been considered but they are not persuasive. In response to applicant’s arguments that Fisher does not teach an indication that a challenge or additional authentication is required in response to a satisfactory result of a determination relative to a threshold, e.g., a low risk scenario in which the user is in fact verified” (See page 9). It is respectfully pointed out that Fisher does teach that in response to the age of the user satisfying [the defined age threshold], causing a challenge question for biometric authentication of the user to be issued to the user, whereby authentication of the user is initiated through a mobile device of the user (“the directory server computer 106 may be further configured to perform a risk analysis using user data, user computing device data and/or transaction data received in the authentication request message for a transaction from the user computing device 102. In such embodiments, the directory server computer 106 may determine a risk score for the transaction and send the risk score to the access control server computer 108 for additional authentication processing” – See [0059]; “In some embodiments, the access control server computer 108 may be configured to perform a risk analysis using user data, user computing device data and/or transaction data received in the authentication request message for a transaction from the user computing device 102. As noted above, the authentication request message may include payment device data, geolocation data, account data, or other similar data related to financial transactions. In some embodiments, the authentication request message may include nonfinancial transaction-related data, including browser data, mobile application data, etc. The access control server computer 108 may use this data to determine a risk score associated with a payment device or account that is being used for a transaction”- See [0062]). While Fisher et al. teaches providing an authenticated purchase to a user where the user's age is verified on a restricted items purchases like alcohol (“For example, a user may want to prove their age in order to purchase alcohol”) – See [0093], Fisher fails to explicitly disclose a defined age threshold sufficient to be able to purchase the age-restricted product. However, Mollett et al. discloses determining, by the computing device, the age of the user satisfies a defined age threshold sufficient to be able to purchase the age-restricted product (“Thus, in the embodiment shown in FIG. 5A, the authorization threshold field 504 provides information about both whether an age-restriction is associated with an item and, if so, about the value of the age-related authorization threshold itself”) – [col. 18 lines 32-40 and fig. 5A]. Fisher et al. and Mollett et al. are analogues in point-of-sale terminal and authentication of user using age information. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Fisher et al. to incorporate the teachings of Mollett et al. to determine the age verification signal, determining by the computing device, the age of the user to satisfy a defined threshold. Doing so would prevent users from purchasing an age-restricted product and provide an authenticated system to purchase items at a grocery and/or point-of-sale [see col. 5 lines 8-26 and fig. 3]. For the reasons above, Claim 1 is reject over Fisher and Mollett. Claims 2-5 and 8-9 depend from Claim 1 and are rejected over the cited art for the same reasons. Claims 1-5 and 8-9 are therefore respectfully rejected. Independent Claims 10 and 18 recite similar limitations to Claim 1, and are defended on the same basis as Claim 1. As such, Claims 10 and 18 are rejected under 35 U.S.C. § 103 for the same reasons explained above with respect to Claim 1. Also, Claims 11-13 and 16-17 depend from claim 10. As such, Claims 11-13 and 16-17 are also rejected under § 103 for the same reasons. In response to applicant’s arguments that Claims 7 and 15 additionally cites to Girish as supplementing Fisher and Mollett. However, examiner respectfully disagrees that Girish fails to remedy the shortcomings of Fisher and Mollett with respect to Claims 1 and 10, as explained in detail above. Girish discloses transmitting a challenge result response to a merchant application associated with a merchant involved in the purchase interaction (Par. 109 the challenge request message sent from the access control server computer 112a to the user computing device 102 through the directory server computer 110 and/or the service provider computer 104…. Par. 110… the challenge response message may be sent from the user computing device 102 to the access control server computer 112A through the service provider computer 104 and/or the directory server computer 110; Par. 63 of Girish discloses service provider computer 104 being a merchant computer….Par 49 of Girish further discloses verifying user’s age for purchase of alcohol). Claims 7 and 15 are still rejected under U.S.C. § 103 over the combination of Fisher, Mollett, and Girish. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action. Claim(s) 1-5, 8-13, and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Fisher et al (US 20150120559 A1) in view of Mollett et al. (US 6755344 B1) Regarding Claim 1, Fisher et. al discloses a computer-implemented method for verifying age attributes of users in connection with network interactions involving the users, the method comprising; (“Embodiments of the invention are directed to methods, systems, and apparatuses for performing authentications for transactions using a single message pair sent by a user computing device to an authentication program” – See [0007]; “See [0036]: An application may be used to perform financial transactions (e.g., purchase transactions) and/or non-financial transactions (e.g., using a mobile application for age or identity verification)” - See [0093]; “For example, a user may want to prove their age in order to purchase alcohol…. The mobile application may send user computing device data and user data in the authentication request message to request an age verification of the user” ….); receiving, at a computing device, an authentication request (AReq), in connection with a purchase interaction for an age-restricted product (“the data sent in the authentication request message to the access control server computer 108 may be dynamically determined based on the transaction data, the user data, and the computing device data – See [0054]; “Examples of non-financial transactions may include transactions verifying a user's age or identity ( e.g., verifying identity with a government agency, verifying age for the purchase of alcohol”) - See [0017]; “The mobile application may send user computing device data and user data in the authentication request message to request an age verification of the user”) – See [0093]; the AReq including an account number for a user and an age verification signal (“[0093] …a user may want to prove their age in order to purchase alcohol. …, the user may access a mobile application on the user computing device 102 that is configured for generating and formatting authentication request messages for the secure authentication program. The mobile application may send user computing device data and user data in the authentication request message to request an age verification of the user.”; “the data sent in the authentication request message to the access control server computer 108 may be dynamically determined based on the transaction data, the user data, and the computing device data” - See [0054]; “The term "user data" may include data that regarding a user or a consumer. User data may include a name, mailing address, shipping address, phone number, payment account number” – See [0031]); in response to the age verification signal (“The mobile application may send user computing device data and user data in the authentication request message to request an age verification of the user. ….”) – See [0036]; retrieving, by the computing device, a birthdate of the user (“The access control server computer may provide authentication services for both financial and non-financial ( e.g., access) transactions. In some embodiments, the access control server computer may be associated with an issuer computer. In other embodiments, the access control server computer may be associated with a payment processing server computer. ” – See [0046 “date of birth”- See [0031]); “In other embodiments, the data sent in the authentication request message to the access control server computer 108 may be dynamically determined based on the transaction data, the user data, and the computing device data”); and, determining, by the computing device, the age of the user satisfies (see par. 93: “In this situation, the access control server computer 108 would evaluate the user data and generate an authentication response message with an indicator ( e.g., a Yes/No, a risk level or risk confidence indicator) in response to the query” – See [0031]; “The term "user data" may include data that regarding a user or a consumer. User data may include a name, mailing address, shipping address, phone number, payment account number, date of birth, marital status, income, social security number, demographic data, etc”;) and determining, by the computing device, the age of the user satisfies a [defined age threshold] sufficient to be able to purchase the age-restricted product (“For example, a user may want to prove their age in order to purchase alcohol. In this situation, the access control server computer 108 would evaluate the user data and generate an authentication response message with an indicator (e.g., a Yes/No, a risk level or risk confidence indicator) in response to the query”) – See [0093]; and in response to the age of the user satisfying [the defined age threshold], causing a challenge question for biometric authentication of the user to be issued to the user, whereby authentication of the user is initiated through a mobile device of the user (“the directory server computer 106 may be further configured to perform a risk analysis using user data, user computing device data and/or transaction data received in the authentication request message for a transaction from the user computing device 102. In such embodiments, the directory server computer 106 may determine a risk score for the transaction and send the risk score to the access control server computer 108 for additional authentication processing” – See [0059]; “Low risk levels may result in the generation of a verification value ( e.g., cardholder authentication verification value or CAVV) for the transaction, while high risk levels may result in a request for additional authentication processes (e.g., secure data elements, passwords or challenge questions)” – See [0015]; (“In step 6, the user computing device 102 returns a challenge response message to the access control server computer 108”) - See [85]; “The challenge request message may request that a secure data element be provided by the user. Examples of secure data elements include a password, a token, and/or biometric data” - See [0101]). While Fisher et al. teaches providing an authenticated purchase to a user where the user's age is verified on a restricted items purchases like alcohol (“For example, a user may want to prove their age in order to purchase alcohol”) – See [0093], Fisher fails to explicitly disclose a defined age threshold sufficient to be able to purchase the age-restricted product. However, Mollett et al. discloses determining, by the computing device, the age of the user satisfies a defined age threshold sufficient to be able to purchase the age-restricted product (“Thus, in the embodiment shown in FIG. 5A, the authorization threshold field 504 provides information about both whether an age-restriction is associated with an item and, if so, about the value of the age-related authorization threshold itself”) – [col. 18 lines 32-40 and fig. 5A]. Fisher et al. and Mollett et al. are analogues in point-of-sale terminal and authentication of user using age information. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Fisher et al. to incorporate the teachings of Mollett et al. to determine the age verification signal, determining by the computing device, the age of the user to satisfy a defined threshold. Doing so would prevent users from purchasing an age-restricted product and provide an authenticated system to purchase items at a grocery and/or point-of-sale [see col. 5 lines 8-26 and fig. 3]. Regarding Claim 2, Fisher et al. in view of Mollett et al. discloses all features of claim 1 as outlined above. Fisher teaches the computing device is an access control server (ACS) which is disposed in communication with a directory server of an enhanced authentication scheme in connection with the purchase interaction for the age-restricted product (“In other embodiments, the data sent in the authentication request message to the access control server computer 108 may be dynamically determined based on the transaction data, the user data, and the computing device data” - See [0054]); See also Fig 1 identifies Access Control Server Computer 108; “Examples of non-financial transactions may include transactions verifying a user's age or identity ( e.g., verifying identity with a government agency, verifying age for the purchase of alcohol”) - See [0017]; Par. 63 of Girish discloses service provider computer 104 being a merchant computer….Par 49 of Girish further discloses verifying user’s age for purchase of alcohol. Regarding Claim 3, Fisher et al. in view of Mollett et al. discloses all features of claim(s) 1 and 2 as outlined above. Fisher et al. discloses the age verification signal includes an instruction to verify the age of the user and the defined age threshold sufficient to purchase the age-restricted product (“The mobile application may send user computing device data and user data in the authentication request message to request an age verification of the user …”) – See [0036]; “For example, a user may want to prove their age in order to purchase alcohol…In this situation, the access control server computer 108 would evaluate the user data and generate an authentication response message with an indicator (e.g., a Yes/No, a risk level or risk confidence indicator) in response to the query) - See [0093]. Fisher fails to explicitly disclose a defined threshold. However, Mollett et al. discloses determining, by the computing device, the age of the user satisfies the defined age threshold sufficient to purchase the age-restricted product (“Thus, in the embodiment shown in FIG. 5A, the authorization threshold field 504 provides information about both whether an age-restriction is associated with an item and, if so, about the value of the age-related authorization threshold itself”) – [0045]. Fisher et al. and Mollett et al. are analogues in point-of-sale terminal and authentication of user using age information. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Fisher et al. to incorporate the teachings of Mollett et al. to determine the age verification signal, determining by the computing device, the age of the user to satisfy a defined threshold. Doing so would prevent users from purchasing an age-restricted product and provide an authenticated system to purchase items at a grocery and/or point-of-sale [see col. 5 lines 8-26 and fig. 3]. Regarding Claim 4, Fisher et al. in view of Mollett et al. discloses all features of claim(s) 1-3 as outlined above. Fisher et al. teaches the computer-implemented method of claim 3, further comprising searching for a user profile for the user based on the account number included in the AReq (“The data sent in the authentication request message may include user computing device data ( e.g., operating system data, browser data, mobile application data, geo-location data), user data ( e.g., user name, user address data, user email address, user phone number), and transaction data ( e.g., shopping cart data, payment device data, payment account number), and/or other comparable data”) -See [0075]; “In step 204, the server computer determines if authentication is available for the transaction by determining whether an account identifier associated with the user is enrolled in a secure authentication program. For example, the server computer may determine whether the account identifier (e.g., BIN, PAN) is an account identifier that has been enrolled in the secure authentication program” – See [0096]); and wherein retrieving the birthdate for the user includes retrieving the birthdate for the user from the user profile (“data retrieved from an authentication history server computer 110 from previous authentication processes involving the account identifier” – See [0097]; “The term "user data" may include data that regarding a user or a consumer. User data may include a name, mailing address, shipping address, phone number, payment account number, date of birth, marital status, income, social security number, demographic data, etc.”) - See [0031]. Regarding Claim 5, Fisher et al. in view of Mollett et al. discloses all features of claim 1 as outlined above. Fisher et al. teaches the computer-implemented method of claim 1, wherein the computing device is a directory server in communication with an access control server (ACS) of an enhanced authentication scheme (“In step 3, the directory server computer 106 may route the authentication request message to an appropriate access control server computer 108 associated with the received payment device data” - See [0077]); and wherein causing the challenge question includes transmitting the AReq to the ACS, whereby the ACS initiates the challenge question through an authentication response (ARes) back to the directory server (“In step 5, when the access control server computer 108 requires additional data to authenticate the transaction, the access control server computer 108 may initiate a challenge process with the user” - See [0084]; “The challenge request message may request that a secure data element be provided by the user. Examples of secure data elements include a password, a token, and/or biometric data” - see [0101]). Regarding Claim 8, Fisher et al. in view of Mollett et al. discloses all features of claim 1 as outlined above. Fisher et al. teaches the computer-implemented method of claim 1, wherein receiving the AReq includes receiving the AReq from a directory server (“In other embodiments, the challenge request message may be sent to the user computing device 102 through the directory server computer 106” - See [0084]); and wherein retrieving the birthdate includes retrieving the birthdate from a user profile from an issuer of an account identified by the account number (“data retrieved from an authentication history server computer 110 from previous authentication processes involving the account identifier” - See [0097]; “The term "user data" may include data that regarding a user or a consumer. User data may include a name, mailing address, shipping address, phone number, payment account number, date of birth, marital status, income, social security number, demographic data, etc.” - See [0031]; “The authentication history server computer 110 may be a database connected to the directory server computer 106 that can be accessed as part of the authentication process”) – See [0068]; and wherein causing the challenge question includes including a challenge question indicator in an authentication response (ARes) and transmitting the ARes to the directory server, whereby the directory server transmits the ARes to a merchant plug-in (MPI) to initiate the challenge question with the user (“The challenge request message may request that a secure data element be provided by the user. Examples of secure data elements include a password, a token, and/or biometric data” - See [0101]; “In step 309, the access control server computer 107 may generate and send an authentication response message to the user computing device 102 via directory server computer 106, as described previously in step 7 of FIG. 1” – See [0115]; “Using the example above, where the risk score determined from the risk analysis is between 5 and 10, the transaction may be considered high risk, and the process may continue to step 5 for further authentication processes ( e.g., a challenge process)” - See [0082]; “In step 8, the mobile application stored on the user computing device 102 may receive the authentication response message including the verification value from the directory server computer 106. The mobile application may send the verification value to the merchant computer 104 associated with the mobile application to conduct authorization processes for the transaction” - See [0088]; “The mobile application may also store software components for a merchant plug-in module which may act as a proxy for re-directing the user computing device 102 to the web address (or URL) of the directory server computer 106 and/or the access control server computer 108”) - See [76]. Regarding claim 9, Fisher et al. in view of Mollett et al. discloses all features of claim(s) 1 and 8 as outlined above. Fisher et al. teaches the computer-implemented method of claim 8, wherein the MPI is associated with a merchant involved in the interaction (“In some embodiments, the mobile application stored on the user computing device 102 may store all the data for the merchant within the mobile application, and accessing the merchant computer 104 may not be required” – See [0076]; “In steps 310-311, the verification value may be sent from the user computing device 102 to a payment processing server computer 314 via a merchant computer 304 associated with the transaction as part of an authorization process for the transaction” – See [0116]); and wherein causing the challenge question includes causing the challenge question to be presented to the user, via the merchant (“In steps 307 and 308, when the risk score indicates that the transaction is high risk, a challenge process may be performed between the access control server computer 108 and the user computing device, as described previously in steps 5-6 of FIG. 1, respectively” – See [0114]; “The challenge request message may request that a secure data element be provided by the user. Examples of secure data elements include a password, a token, and/or biometric data” - See [0101]). Regarding Claim 10, Fisher et al. discloses a system for verifying age attributes of users in connection with network interactions involving the users, the system comprising: (“Embodiments of the invention are directed to methods, systems, and apparatuses for performing authentications for transactions using a single message pair sent by a user computing device to an authentication program” – See [0007]. … An application may be used to perform financial transactions (e.g., purchase transactions) and/or non-financial transactions (e.g., using a mobile application for age or identity verification). – See par. [0036]; “For example, a user may want to prove their age in order to purchase alcohol. …. The mobile application may send user computing device data and user data in the authentication request message to request an age verification of the user”. ….) - See [0093]; an access control server (ACS), which is configured, by executable instructions (“An "access control server computer" may be a computer or system that is configured to provide authentication and/or verification services” - See [0046]), to: receiving, at a computing device, an authentication request (AReq), in connection with a purchase interaction for an age-restricted product, the AReq including an account number of an account of a user and an age verification signal (“a user may want to prove their age in order to purchase alcohol. …, the user may access a mobile application on the user computing device 102 that is configured for generating and formatting authentication request messages for the secure authentication program. The mobile application may send user computing device data and user data in the authentication request message to request an age verification of the user” – See [0094]; “data retrieved from an authentication history server computer 110 from previous authentication processes involving the account identifier” - See [0097]; “The term "user data" may include data that regarding a user or a consumer. User data may include a name, mailing address, shipping address, phone number, payment account number, date of birth, marital status, income, social security number, demographic data, etc.” - See [0031]; “The authentication history server computer 110 may be a database connected to the directory server computer 106 that can be accessed as part of the authentication process”) – See [0068]; in response to the age verification signal (“The mobile application may send user computing device data and user data in the authentication request message to request an age verification of the user …”) - See [0036]; retrieve a birthdate of the user, via an issuer of the account to the user (“In this situation, the access control server computer 108 would evaluate the user data and generate an authentication response message with an indicator ( e.g., a Yes/No, a risk level or risk confidence indicator) in response to the query” – See [0093]; “date of birth”- See [0031]; determine, based on the birthdate of the user, an age of the user (“a payment device enrolled in the secure authentication program may include user data that may be used in verifying the age of the user” - See [0093]; “date of birth”- See [0031]); determine the age of the user satisfies a [defined age threshold] sufficient age to be able to purchase the age-restricted product (“see par. 93: For example, a user may want to prove their age in order to purchase alcohol. In this situation, the access control server computer 108 would evaluate the user data and generate an authentication response message with an indicator (e.g., a Yes/No, a risk level or risk confidence indicator) in response to the query”) – See [0093]; and in response to the age of the user satisfying [the defined age threshold], cause a challenge question for biometric authentication of the user to be issued to the user, whereby authentication of the user is initiated through a mobile device of the user, whereby authentication of the user is initiated through a mobile device of the user (“Low risk levels may result in the generation of a verification value ( e.g., cardholder authentication verification value or CAVV) for the transaction, while high risk levels may result in a request for additional authentication processes (e.g., secure data elements, passwords or challenge questions) - See [0015]; (“In step 6, the user computing device 102 returns a challenge response message to the access control server computer 108”) - See [85]; “The directory server computer 106 may be further configured to perform a risk analysis using user data, user computing device data and/or transaction data received in the authentication request message for a transaction from the user computing device 102. In such embodiments, the directory server computer 106 may determine a risk score for the transaction and send the risk score to the access control server computer 108 for additional authentication processing”- See [0059]; (“The challenge request message may request that a secure data element be provided by the user. Examples of secure data elements include a password, a token, and/or biometric data” - See [0101]). Fisher fails to explicitly disclose a defined age threshold sufficient to be able to purchase the age-restricted product. However, Mollett et al. discloses determining, by the computing device, the age of the user satisfies a defined age threshold sufficient to be able to purchase the age-restricted product (“Thus, in the embodiment shown in FIG. 5A, the authorization threshold field 504 provides information about both whether an age-restriction is associated with an item and, if so, about the value of the age-related authorization threshold itself”) – [col., 18 lines 32-40 and fig. 5A]. Fisher et al. and Mollett et al. are analogues in point-of-sale terminal and authentication of user using age information. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Fisher et al. to incorporate the teachings of Mollett et al. to determine the age verification signal, determining by the computing device, the age of the user to satisfy a defined threshold. Doing so would prevent users from purchasing an age-restricted product and provide an authenticated system to purchase items at a grocery and/or point-of-sale [see col. 5 lines 8-26 and fig. 3]. Regarding claim 11, Fisher et al. in view of Mollett et al. discloses all features of claim(s) 10 as outlined above. Fisher et al. teaches the system of claim 10, wherein the ACS is coupled in communication with a directory server of an enhanced authentication scheme in connection with the interaction related to the age-restricted product (“In other embodiments, the data sent in the authentication request message to the access control server computer 108 may be dynamically determined based on the transaction data, the user data, and the computing device data” - See [0054]); See also Fig 1 identifies Access Control Server Computer 108; (“For example, a user may want to prove their age in order to purchase alcohol. In this situation, the access control server computer 108 would evaluate the user data and generate an authentication response message with an indicator (e.g., a Yes/No, a risk level or risk confidence indicator) in response to the query”) – See [0093];. Regarding Claim 12, Fisher et al. in view of Mollett et al. discloses all features of claim(s) 10 and 11 as outlined above. Fisher et al. discloses the system of claim 11, wherein the age verification signal includes an instruction to verify the age of the user (“For example, a user may want to prove their age in order to purchase alcohol…In this situation, the access control server computer 108 would evaluate the user data and generate an authentication response message with an indicator (e.g., a Yes/No, a risk level or risk confidence indicator) in response to the query) – See [0093]; “The mobile application may send user computing device data and user data in the authentication request message to request an age verification of the user. ….) - See [0093]. While Fisher et al. teaches providing an authenticated purchase to a user where the user's age is verified on a restricted items purchases like alcohol (“For example, a user may want to prove their age in order to purchase alcohol”) – See [0093]. Fisher fails to explicitly disclose a defined threshold. However, Mollett et al. discloses determining, by the computing device, the age of the user satisfies a defined (“Thus, in the embodiment shown in FIG. 5A, the authorization threshold field 504 provides information about both whether an age-restriction is associated with an item and, if so, about the value of the age-related authorization threshold itself”) – [0045]. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Fisher et al. to incorporate the teachings of Mollett et al. to determine the age verification signal, determining by the computing device, the age of the user to satisfy a defined threshold. Doing so would prevent users from purchasing an age-restricted product and utilize age authorization for “citizenship, residence, membership, weight, security clearance level, or other authorizing characteristics” [0040]. Regarding Claim 13, Fisher et al. in view of Mollett et al. discloses all features of claim(s) 10-12 as outlined above. Fisher et al. teaches the system of claim 12, wherein the ACS, is further configured, by the executable instructions, to search for a user profile for the user based on the account number included in the AReq (“The data sent in the authentication request message may include user computing device data (e.g., operating system data, browser data, mobile application data, geo-location data), user data ( e.g., user name, user address data, user email address, user phone number), and transaction data ( e.g., shopping cart data, payment device data, payment account number), and/or other comparable data” – See [0075]; “In step 204, the server computer determines if authentication is available for the transaction by determining whether an account identifier associated with the user is enrolled in a secure authentication program. For example, the server computer may determine whether the account identifier (e.g., BIN, PAN) is an account identifier that has been enrolled in the secure authentication program” - See[0096]); and wherein the ACS is configured, by the executable instruction, in retrieving the birthdate for the user, to retrieve the birthdate for the user from the user profile (“data retrieved from an authentication history server computer 110 from previous authentication processes involving the account identifier” - See [0097]; “The term "user data" may include data that regarding a user or a consumer. User data may include a name, mailing address, shipping address, phone number, payment account number, date of birth, marital status, income, social security number, demographic data, etc.”) - See [0031]. Regarding claim 16, Fisher et al. in view of Mollett et al. discloses all features of claim(s) 10 as outlined above. Fisher et al. teaches the system of claim 10, wherein the ACS is configured, by the executable instructions, to receive the AReq from a directory server (“In other embodiments, the challenge request message may be sent to the user computing device 102 through the directory server computer 106” - See [0084]); and wherein the ACS is configured, by the executable instructions, in retrieving the birthdate, to retrieve the birthdate from a user profile from an issuer of an account identified by the account number (“data retrieved from an authentication history server computer 110 from previous authentication processes involving the account identifier” - See [0097]; “The term "user data" may include data that regarding a user or a consumer. User data may include a name, mailing address, shipping address, phone number, payment account number, date of birth, marital status, income, social security number, demographic data, etc.” - See [0031]; “The authentication history server computer 110 may be a database connected to the directory server computer 106 that can be accessed as part of the authentication process”) – See [0068]; and wherein the ACS is configured, by the executable instructions, in causing the challenge question, to include a challenge question indicator in an authentication response (ARes) and to transmit the ARes to the directory server, whereby the directory server transmits the ARes to a merchant plug-in (MPI) to initiate the challenge question with the user (“In steps 307 and 308, when the risk score indicates that the transaction is high risk, a challenge process may be performed between the access control server computer 108 and the user computing device, as described previously in steps 5-6 of FIG. 1, respectively” - See [0114]; “In step 309, the access control server computer 107 may generate and send an authentication response message to the user computing device 102 via directory server computer 106, as described previously in step 7 of FIG. 1”) - See [0015]; “The challenge request message may request that a secure data element be provided by the user. Examples of secure data elements include a password, a token, and/or biometric data” - See [0101]; “The mobile application may also store software components for a merchant plug-in module which may act as a proxy for re-directing the user computing device 102 to the web address (or URL) of the directory server computer 106 and/or the access control server computer 108”) - See [76]. Regarding claim 17, Fisher et al. in view of Mollett et al. discloses all features of claim(s) 10 and 16 as outlined above. Fisher et al. teaches the system of claim 16, wherein the MPI is associated with a merchant involved in the purchase interaction (“The mobile application may also store software components for a merchant plug-in module, which may act as a proxy for re-directing the user computing device 102 to the web address (or URL) of the directory server computer 106 and/or the access control server computer 108” – See [0076]; “In steps 310-311, the verification value may be sent from the user computing device 102 to a payment processing server computer 314 via a merchant computer 304 associated with the transaction as part of an authorization process for the transaction” - See [0016]); and wherein the ACS is configured, by the executable instructions, in causing the challenge question, to cause the challenge question to be presented to the user, via one of an application and a browser included in the mobile device (“In steps 307 and 308, when the risk score indicates that the transaction is high risk, a challenge process may be performed between the access control server computer 108 and the user computing device, as described previously in steps 5-6 of FIG. 1, respectively” – See [0114]; “The challenge request message may request that a secure data element be provided by the user. Examples of secure data elements include a password, a token, and/or biometric data”) - See [0101]. Regarding Claim 18, Fisher et al. discloses a non-transitory computer readable storage medium including executable instructions for verifying one or more attributes of a user in connection with a network interaction involving the user, wherein when the executable instructions are executed by at least one processor of a payment network, the executable instructions cause the at least one processor to: (“The control logic may be stored in an information storage medium as a plurality of instructions adapted to direct an information processing device to perform a set of steps disclosed in embodiments of the present invention” – See [0125]; “The term "transaction" may include an exchange or interaction between two entities” - See [0017]; “A server computer comprising: a processor; and a tangible non-transitory computer readable medium coupled to the processor, the tangible non-transitory computer readable medium comprising code, executable by the processor for implementing a method comprising” – See Claim 14); receive an authentication request (AReq) in connection with a purchase interaction for an age-restricted product by a user from a merchant, the AReq including an account number of an account of a user and a verification signal; (“For example, a user may want to prove their age in order to purchase alcohol…In this situation, the access control server computer 108 would evaluate the user data and generate an authentication response message with an indicator (e.g., a Yes/No, a risk level or risk confidence indicator) in response to the query) – See [0093]; “The mobile application may send user computing device data and user data in the authentication request message to request an age verification of the user. ….) – See [0036]; “User data may include a name, mailing address, shipping address, phone number, payment account number, date of birth, marital status, income, social security number, demographic data, etc.” – See [0031]); in response to the verification signal (“The mobile application may send user computing device data and user data in the authentication request message to request an age verification of the user. ….) – See [0036]; retrieve an attribute of the user, via an issuer of the account to the user; and (“the data sent in the authentication request message to the access control server computer 108 may be dynamically determined based on the transaction data, the user data, and the computing device data” – See [0054]; “The term "user data" may include data that regarding a user or a consumer. User data may include a name, mailing address, shipping address, phone number, payment account number, date of birth, marital status, income, social security number, demographic data, etc.” – See [0031]); determine the attribute of the user satisfies [a defined age threshold] sufficient to be able to purchase the age-restricted product; and (“this situation, the access control server computer 108 would evaluate the user data and generate an authentication response message with an indicator (e.g., a Yes/No, a risk level or risk confidence indicator) in response to the query”) – See [0093] in response to the attribute of the user satisfying [the defined age threshold], cause a challenge question for biometric authentication of the user to be issued to the user, whereby authentication of the user is initiated through a mobile device of the user (“The challenge request message may request that a secure data element be provided by the user. Examples of secure data elements include a password, a token, and/or biometric data”- See [0101]; “determining if authentication is available for the transaction by determining whether an account identifier associated with the user …the transaction data received in the authentication request message to compute a risk score… initiating generating and sending a challenge request message to the user computing device” – See Claim 14; “while high risk levels may result in a request for additional authentication processes (e.g., secure data elements, passwords or challenge questions”) – See [0015]. While Fisher et al. teaches providing a non-transitory readable storage medium including executable instructions for verifying on a restricted items purchases like alcohol (“For example, a user may want to prove their age in order to purchase alcohol”) – See [0093], Fisher fails to explicitly disclose a defined age threshold sufficient to be able to purchase the age-restricted product. However, Mollett et al. discloses determining, by the computing device, the age of the user satisfies a defined age threshold sufficient to be able to purchase the age-restricted product (“Thus, in the embodiment shown in FIG. 5A, the authorization threshold field 504 provides information about both whether an age-restriction is associated with an item and, if so, about the value of the age-related authorization threshold itself”) – [col., 18 lines 32-40 and fig. 5A]. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Fisher et al. to incorporate the teachings of Mollett et al. to determine the age verification signal, determining by the computing device, the age of the user to satisfy a defined threshold. Doing so would prevent users from purchasing an age-restricted product and provide an authenticated system to purchase items at a grocery and/or point-of-sale [see col. 5 lines 8-26 and fig. 3]. Claim(s) 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Fisher et al. (US-20150120559-A1) in view of Mollett et al. (US 6755344 B1) and further in view of Girish et al. (US-20190020478-A1). Regarding Claim 7, Fisher et al. in view of Mollett et al. discloses all features of claim(s) 1 as outlined above. Fisher et al. further teaches the computer-implemented method of claim 1, further comprising: a merchant plugin (MPI) [see par. 15 and 42]. The combination of Fisher et al. in view of Mollett et al. fail to explicitly disclose the limitation listed below. However, Girish teaches: transmitting a challenge result response to a merchant application associated with a merchant involved in the purchase interaction (Par. 109 the challenge request message sent from the access control server computer 112a to the user computing device 102 through the directory server computer 110 and/or the service provider computer 104…. Par. 110… the challenge response message may be sent from the user computing device 102 to the access control server computer 112A through the service provider computer 104 and/or the directory server computer 110; Par. 63 of Girish discloses service provider computer 104 being a merchant computer….Par 49 of Girish further discloses verifying user’s age for purchase of alcohol); and receiving, from the merchant, an authorization request for the purchase interaction for the age-restricted product, based on the challenge result response (Par. 109 of Girish teaches…the challenge request message sent from the access control server computer 112a to the user computing device 102 through the directory server computer 110 and/or the service provider computer 104…. Par. 110 of Girish teaches.. … the challenge response message may be sent from the user computing device 102 to the access control server computer 112A through the service provider computer 104 and/or the directory server computer 110; ar. 63 of Girish discloses service provider computer 104 being a merchant computer….Par 49 of Girish further discloses verifying user’s age for purchase of alcohol). Fisher et al. in view of Mollett et al. and Girish et al. are analogues in point-of-sale terminal and authentication of user using age information. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Fisher et al. in view of Mollett et al. to incorporate the teachings of Girish et al. to transmit a challenge result response to a merchant plugin (MPI) associated with a merchant involved in the interaction. Doing so would enhance data security regarding the merchant interactions and prevent fraud (“Tokens provide greater data security relative to real credentials, because if token are stolen by unauthorized persons, the real credentials are not exposed”) – See [Girish 0001 and pars. 48-49]. Regarding Claim 15, the combination of Fisher et al. in view of Mollett et al. discloses the system of claim 10 wherein the ACS is further configured, by the executable instructions (“An "access control server computer" may be a computer or system that is configured to provide authentication and/or verification services” - See [0046]) and a merchant plugin (MPI) [see par. 15 and 42]. The combination of Fisher et al. in view of Mollett et al. fail to explicitly disclose, however Girish teaches a controlled access server system to: transmit a challenge result response to a merchant plugin associated with a merchant involved in the purchase interaction, after authenticating the user, via the challenge question (see fig. 4 and Par. 109 the challenge request message sent from the access control server computer 112a to the user computing device 102 through the directory server computer 110 and/or the service provider computer 104…. Par. 110… the challenge response message may be sent from the user computing device 102 to the access control server computer 112A through the service provider computer 104 and/or the directory server computer 110; Par. 63 of Girish discloses service provider computer 104 being a merchant computer….Par 49 of Girish further discloses verifying user’s age for purchase of alcohol). Fisher et al. in view of Mollett et al. and Girish et al. are analogues in point-of-sale terminal and authentication of user using age information. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Fisher et al. in view of Mollett et al. to incorporate the teachings of Girish et al. to transmit a challenge result response to a merchant plugin (MPI) associated with a merchant involved in the interaction. Doing so would enhance data security regarding the merchant interactions and prevent fraud (“Tokens provide greater data security relative to real credentials, because if token are stolen by unauthorized persons, the real credentials are not exposed”) – See [Girish 0001 and pars. 48-49]. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to VIVIAN D. HO whose telephone number is (571)272-9957. The examiner can normally be reached M-TH 8:00 - 5:00; F 8:00 - 12:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached at (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /VIVIAN D HO/Examiner, Art Unit 2497 /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497
Read full office action

Prosecution Timeline

Jul 02, 2024
Application Filed
Nov 14, 2025
Non-Final Rejection — §103
Feb 19, 2026
Response Filed
Mar 25, 2026
Final Rejection — §103 (current)

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
Grant Probability
3y 1m
Median Time to Grant
Moderate
PTA Risk
Based on 0 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month