DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to Applicant’s communication filed October 16, 2024 in which claims 1-20 are pending in the application.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
2. Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
The Examiner has identified independent system Claim 13 as the claim that represents the claimed invention for analysis and is similar to independent Claims 1 and 20.
The claims 1-12 are directed to a method, claims 13-19 are directed to a system and claim 20 is directed to a non-transitory, computer-readable medium, which are one of the statutory categories of invention (Step 1: YES).
The claim 13 recites : a server comprising a processor and a memory, wherein the server is configured to: receive, from a merchant device associated with a merchant, a first plurality of risk data associated with a user; receive, from a software development kit (SDK) embedded by a first entity, a second plurality of risk data associated with the user; receive, from a second entity, a third plurality of risk data associated with the user; identify the user; train a fraud risk machine learning model; and determine a fraud risk profile of the user, based on the fraud risk machine learning model, using the first plurality of risk data, the second plurality of risk data, and the third plurality of risk data. These limitations (with the exception of italicized portions), under their broadest reasonable interpretation, when considered collectively as an ordered combination, is a process that covers Certain methods of organizing human activity such as fundamental economic principles or practices (including insurance, mitigating risk, and hedging). Determining a fraud risk profile of the user is a way of mitigating a risk and mitigating a risk is a Fundamental Economic Practice. The claim also recites a server, a processor, a memory, a merchant device, a software development kit (SDK) and “train a fraud risk machine learning model” which do not necessarily restrict the claim from reciting an abstract idea. That is, other than, a server, a processor, a memory, a merchant device, a software development kit (SDK) and “train a fraud risk machine learning model”, nothing in the claim precludes the steps from being performed as a method of organizing human activity. If the claim limitations, under the broadest reasonable interpretation, covers methods of organizing human activity but for the recitation of generic computer components, then it falls within the “Certain methods of organizing human activity” grouping of abstract ideas. Accordingly, the claim 13 recites an abstract idea (Step 2A: Prong 1: YES).
This judicial exception is not integrated into a practical application. The additional elements of a server, a processor, a memory, a merchant device, a software development kit (SDK) and “train a fraud risk machine learning model” result in no more than simply applying the abstract idea using generic computer elements. The specification describes the additional elements of a server, a processor, a memory, a merchant device, a software development kit (SDK) and “train a fraud risk machine learning model” to be generic computer elements (see Fig. 1, Fig. 2, Fig. 5, [0063-0064]). Hence, the additional elements in the claim are generic components suitably programmed to perform their respective functions. The additional elements of a server, a processor, a memory, a merchant device, a software development kit (SDK) and “train a fraud risk machine learning model” are recited at a high level of generality and under their broadest reasonable interpretation comprises a generic computer arrangement. The presence of a generic computer arrangement is nothing more than mere instructions to implement the abstract idea on a computer (MPEP 2106.05(f)). Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Hence, the claims as a whole are not integrated into a practical application. Therefore, the claim 13 is directed to an abstract idea (Step 2A - Prong 2: NO).
The claim 13 does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements of a server, a processor, a memory, a merchant device, a software development kit (SDK) and “train a fraud risk machine learning model” are recited at a high level of generality in that it results in no more than simply applying the abstract idea using generic computer elements. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply the exception using a generic computer component (MPEP 2106.05(f)). The additional elements, when considered separately and as an ordered combination, does not add significantly more (also known as an “inventive concept”) to the exception. The additional elements of the instant underlying process, when taken in combination, together do not offer significantly more than the sum of the functions of the elements when each is taken alone. Thus, claim 13 is not patent eligible (Step 2B: NO).
Similar arguments can he extended to other independent claims 1 and 20 and hence the claims 1 and 20 are rejected on similar grounds as claim 13.
Dependent claims 2-12 and 14-19 are held to be patent ineligible under 35 U.S.C. 101 because the additional recited limitations only narrow the abstract idea further and thus correspond to Certain Methods of Organizing Human Activity and hence are abstract for the reasons presented above. Dependent claims 6, 12, 14, 16 and 19 recite new additional elements that are not present in independent claims 1 or 13 or 20.
Claims 6, 14, 16 and 19 recite the additional elements of the website browsing data such as Internet Protocol (IP) address data, hardware details data, software details data, first party cookies, third party cookies, etc. The website browsing data, recited in the claims, is recited at a high level of generality and amounts to generic computer implementation. Hence, it does not integrate the abstract idea into a practical application or provide significantly more than the abstract idea when considered individually and as an ordered combination.
Claim 12 recites the additional elements of the Short Message Service (SMS) one time password (OTP). The Short Message Service (SMS) one time password (OTP), recited in the claims, is recited at a high level of generality and amounts to generic computer implementation. Hence, it does not integrate the abstract idea into a practical application or provide significantly more than the abstract idea when considered individually and as an ordered combination.
Viewing the claim limitations as a combination does not add anything further than looking at the claim limitations individually. When viewed either individually, or as a combination, the additional limitations do not amount to a claim as a whole that is significantly more than the abstract idea. Accordingly, claim(s) 1-20 are ineligible.
Claim Rejections - 35 USC § 103
3. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
4. Claims 1-4, 7, 10, 11, 13, 17, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Benkreira et al., U.S. Patent Application Publication Number (2023/0059064 A1) in view of Jain et al., U.S. Patent Application Publication Number (2023/0115713 A1).
Regarding Claim 1,
Benkreira teaches a method for reducing fraud, comprising : (See at least Fig. 2, Fig. 3);
receiving, by a server from a merchant device associated with a merchant, a first plurality of risk data associated with a user (See at least [0075], [0089-0090], “the AI engine can retrieve transaction data associated with a particular user and/or a particular payment instrument. Transaction data may include characteristics of previous transactions (and/or transaction requests), including payment instrument type, transaction amount, absolute location, location relative to home address, merchant name, merchant type, other merchant details, transaction type, merchant payment system type, time, and date, transaction frequency (how often the payment instrument is used), last used transaction (including the location thereof), average transaction amount, total number of transactions, and other transaction metrics.” The transaction data mentioned above can be interpreted as the risk data associated with a user);
receiving, by the server from a software development kit (SDK) embedded by a first entity, a second plurality of risk data associated with the user (See at least [0062], [0076-0079], [0093-0094], “Fraud application data can include a current location of a user device associated with the user, a last known location of the user device, last time using an application of the user device associated with first issuer system, and other metrics pertaining to the user's device, and/or use if the application associated with the first issuer system. Fraud application data can be collected by the application associated with the first issuer system accessible on the user device via API calls.” Fraud application data serves as a second plurality of risk data associated with the user);
receiving, by the server from a second entity, a third plurality of risk data associated with the user (See at least [0058], [0062], [0072], [0074], [0078], “AI engine can alternatively, or in addition to, receive such data from one of user device, one or more second issuers, and/or financial consortium network” Data received from one of user device, one or more second issuers, and/or financial consortium network serves as a third plurality of risk data associated with the user);
identifying the user (See at least [0091], “the first issuer system may identify relevant user data pertaining to the user associated with the payment instrument in the received transaction request”);
training, by the server, a fraud risk machine learning model (See at least [0070], [0073], [0084], “the AI engine may utilize global data as a training set in a machine learning model to generate a fraud model. The fraud model can be arranged as a data structure that can be used to quickly and accurately determine a fraud severity value and a notification value taking at least characteristics of a transaction request as inputs.”);
determining, by the server, a fraud risk profile of the user, based on the fraud risk machine learning model, using the first plurality of risk data, the second plurality of risk data, and the third plurality of risk data (See at least [0092], “ the first issuer system may determine a fraud severity value and a notification value by using the extracted characteristics of the transaction request and the identified relevant user data as inputs to the fraud model” determining a fraud severity value and a notification value by using the extracted characteristics of the transaction request and the identified relevant user data as inputs to the fraud model can be interpreted as determining a fraud risk profile of the user).
However, Benkreira does not explicitly teach,
receiving, by the server from a software development kit (SDK) embedded by a first entity.
Jain, however, teaches,
receiving, by the server from a software development kit (SDK) embedded by a first entity (See at least [0040], “The data collection of the various information may be collected by a third-party SDK.”);
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the above-noted disclosure of Benkreira as it relates to reducing fraud to incorporate the disclosure of Jain as it relates to receiving data from a software development kit (SDK). The motivation for combining these references would have been to verify that the payment transaction data is not fraudulent based on the collected fraud verification information and may be used to identify a suspicious profile, and/or if a user already provided a legitimate payment. (See at least Jain, [0040]).
Regarding Claim 2,
The combination of Benkreira and Jain teaches the limitation of claim 1,
In addition, Jain teaches,
wherein the SDK is embedded in a checkout flow of the merchant. (See at least [0029], [0040-0042], “The payment consolidation process integrates a checkout process as a single interface to perform payment and updates a payment record with payment details. The payment consolidation instruction set dynamically loads third party systems (e.g., SDKs) when needed, hides complexity from a merchant point of view, and provides effortless travel integration for each payment record (e.g., PNRs) for each merchant.”).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the above-noted disclosure of Benkreira as it relates to reducing fraud to incorporate the disclosure of Jain as it relates to embedding SDK in a checkout flow of the merchant. The motivation for combining these references would have been to provide effortless travel integration for each payment record (e.g., PNRs) for each merchant (See at least Jain, [0029]).
Regarding Claim 3,
Benkreira further teaches,
wherein the third plurality of risk data includes fraud data (See at least [0076], fraud data).
Regarding Claim 4,
Benkreira further teaches,
wherein the first plurality of risk data is obtained by the merchant during a checkout flow of the merchant (See at least [0037], [0089-0090], “the first issuer system can receive a transaction request associated with a particular user’s payment instrument from a merchant payment system. The transaction request can be received from the merchant payment system to the first issuer system upon an attempt to conduct a transaction with the payment instrument. At step 302, the first issuer system can extract characteristics from the transaction request” Characteristics from the transaction request can be interpreted as risk data is obtained by the merchant during a checkout flow of the merchant).
Regarding Claim 7,
Benkreira further teaches,
wherein the third plurality of risk data is associated with the user through an universal identifier (See at least [0099], “The fraud notification transmitted to the one or more second issuers can include an identification of the user, the fraud severity value, and fraud severity information, in order to alert the one or more second issuer systems of the severity of suspected fraud.” An identification of the user transmitted can be interpreted as an universal identifier).
Regarding Claim 10,
Benkreira further teaches,
receiving from a third entity, a fourth plurality of risk data associated with the user (See at least [0099], “the fraud notification transmitted to the one or more second issuers can include an identification of the user, the fraud severity value, and fraud severity information, in order to alert the one or more second issuer systems of the severity of suspected fraud.” an identification of the user, the fraud severity value, and fraud severity information serves as a fourth plurality of risk data).
Regarding Claim 11,
Benkreira further teaches,
wherein the user is identified through the universal identifier (See at least [0091], [0099], “the first issuer system may identify relevant user data pertaining to the user associated with the payment instrument in the received transaction request.” Identifying relevant user data pertaining to the user associated with the payment instrument can be interpreted as the user being identified through the universal identifier).
Regarding Claims 13 and 20,
Independent claims 13 and 20 are substantially similar to independent claim 1, and hence rejected on similar grounds. Claim 13 also recites a server comprising a processor and a memory which is taught by Benkreira (see at least [0028]).
Regarding Claim 17,
Claim 17 is substantially similar to the combination of claims 7 and claim 10, and hence rejected on similar grounds.
Regarding Claim 18,
Claim 18 is substantially similar to the combination of claims 7 and claim 11, and hence rejected on similar grounds.
5. Claims 5-6, 12, 14, 16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Benkreira in view of Jain and further in view of O'Connell et al., U.S. Patent Application Publication Number (2018/0337926 A1).
Regarding Claim 5,
The combination of Benkreira and Jain teaches the limitation of claim 1,
However, Benkreira and Jain combined do not explicitly teach,
wherein the first plurality of risk data includes website browsing data of a website of the merchant that is browsed by the user.
O'Connell, however, teaches,
wherein the first plurality of risk data includes website browsing data of a website of the merchant that is browsed by the user (See at least [0055-0056], “The identifiers can include data associated with the authorization request message, the first requesting device 102, and/or a user of the first requesting device 102. Examples of types of identifiers may include a device type, a device identifier, an account number, a user identifier, an email address, a physical address, a phone number, an internet protocol (IP) address, browser data, application data, operating system data, GPS location data, and biometric data.”).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the above-noted disclosure of Benkreira and Jain to incorporate the disclosure of O'Connell as it relates to merchants ability to draw user data from the browser website. The motivation for combining these references would have been to minimize the risks of unauthorized access. (See at least O'Connell, [0005]).
Regarding Claim 6,
The combination of Benkreira, Jain and O'Connell teaches the limitation of claim 5,
In addition, O'Connell teaches,
wherein the website browsing data includes at least one selected from the group of behavioral data, browser connection data, geolocation data, browsing history data, mouse movement data, device orientation data, fronts and languages data, image data, Internet Protocol (IP) address data, hardware details data, software details data, first party cookies, third party cookies, autofill data, detailed input logs data, browser fingerprints data, shared WIFI data, and Media Access Control (MAC) address data (See at least [0055-0056], “The identifiers can include data associated with the authorization request message, the first requesting device 102, and/or a user of the first requesting device 102. Examples of types of identifiers may include a device type, a device identifier, an account number, a user identifier, an email address, a physical address, a phone number, an internet protocol (IP) address, browser data, application data, operating system data, GPS location data, and biometric data.” browser data is equivalent to the browsing history data).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the above-noted disclosure of Benkreira and Jain to incorporate the disclosure of O'Connell as it relates to merchants ability to draw user data from the browser website. The motivation for combining these references would have been to minimize the risks of unauthorized access. (See at least O'Connell, [0005]).
Regarding Claim 12,
The combination of Benkreira and Jain teaches the limitation of claim 1,
However, Benkreira and Jain combined do not explicitly teach,
wherein the third plurality of risk data includes the time and date of the most recent Short Message Service (SMS) one time password (OTP) authentication completed by the user.
O'Connell, however, teaches,
wherein the third plurality of risk data includes the time and date of the most recent Short Message Service (SMS) one time password (OTP) authentication completed by the user (See at least [0066], [0082], [0098], [0100], [0103], [0114-0115], “Additional types of authorization activity may include a history of fraud associated with an account identifier, a length of time since the most recent authentication, a date and time of the most recent authentication”. It is known to base fraud detection on the most recent authentication completed by a user, SMS OTP being a well-known form of user authentication).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the above-noted disclosure of Benkreira and Jain to incorporate the disclosure of O'Connell as it relates to the most recent authentication completed by a user. The motivation for combining these references would have been to minimize the risks of unauthorized access. (See at least O'Connell, [0005]).
Regarding Claim 14,
Claim 14 is substantially similar to the combination of claim 5 and claim 6, and hence rejected on similar grounds.
Regarding Claim 16,
The combination of Benkreira and Jain teaches the limitation of claim 13,
However, Benkreira and Jain combined do not explicitly teach,
wherein the first plurality of risk data includes website browsing data of a website of the merchant that is browsed by the user, and the website browsing data includes at least one selected from the group of hardware details data, software details data, first party cookies, third party cookies, autofill data, detailed input logs data.
O'Connell, however, teaches,
wherein the first plurality of risk data includes website browsing data of a website of the merchant that is browsed by the user, and the website browsing data includes at least one selected from the group of hardware details data, software details data, first party cookies, third party cookies, autofill data, detailed input logs data (See at least [0055-0056], “The identifiers can include data associated with the authorization request message, the first requesting device 102, and/or a user of the first requesting device 102. Examples of types of identifiers may include a device type, a device identifier, an account number, a user identifier, an email address, a physical address, a phone number, an internet protocol (IP) address, browser data, application data, operating system data, GPS location data, and biometric data.” Operating system data serves as the software details data).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the above-noted disclosure of Benkreira and Jain to incorporate the disclosure of O'Connell as it relates to merchants ability to draw user data from the browser website. The motivation for combining these references would have been to minimize the risks of unauthorized access. (See at least O'Connell, [0005]).
Regarding Claim 19,
The combination of Benkreira and Jain teaches the limitation of claim 13,
However, Benkreira and Jain combined do not explicitly teach,
wherein the first plurality of risk data includes website browsing data of a website of the merchant that is browsed by the user, and the website browsing data includes at least one selected from the group of browser fingerprint data, shared network data, and Media Access Control (MAC) address data.
O'Connell, however, teaches,
wherein the first plurality of risk data includes website browsing data of a website of the merchant that is browsed by the user, and the website browsing data includes at least one selected from the group of browser fingerprint data, shared network data, and Media Access Control (MAC) address data (See at least [0055-0056], “The identifiers can include data associated with the authorization request message, the first requesting device 102, and/or a user of the first requesting device 102. Examples of types of identifiers may include a device type, a device identifier, an account number, a user identifier, an email address, a physical address, a phone number, an internet protocol (IP) address, browser data, application data, operating system data, GPS location data, and biometric data.” An internet protocol (IP) address serves as the shared network data).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the above-noted disclosure of Benkreira and Jain to incorporate the disclosure of O'Connell as it relates to merchants ability to draw user data from the browser website. The motivation for combining these references would have been to minimize the risks of unauthorized access. (See at least O'Connell, [0005]).
6. Claims 8, 9 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Benkreira in view of Jain and further in view of Rothschild et al., U.S. Patent Application Publication Number (2005/0054438 A1).
Regarding Claim 8,
The combination of Benkreira and Jain teaches the limitation of claim 7,
However, Benkreira and Jain combined do not explicitly teach,
wherein the universal identifier is a social security number of the user.
Rothschild, however, teaches,
wherein the universal identifier is a social security number of the user (See at least [0046], “when a universal personal identifier such as a Smart card, an eye scan, patron entry of his place of birth and last 4 digits of his social security number, a Bluetooth.TM. PDA, etc., is detected via a suitable device of the POS terminal”).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the above-noted disclosure of Benkreira and Jain to incorporate the disclosure of Rothschild as it relates to the use of a universal personal identifier for accessing patron information. The motivation for combining these references would have been to take advantage of streamlined services, improved data accuracy, and enhanced personalization by providing a consistent way to link a person's records across different systems.
Regarding Claim 9,
The combination of Benkreira and Jain teaches the limitation of claim 7,
However, Benkreira and Jain combined do not explicitly teach,
wherein the universal identifier is a card identifier of the user.
Rothschild, however, teaches,
wherein the universal identifier is a card identifier of the user (See at least [0046], “when a universal personal identifier such as a Smart card, an eye scan, patron entry of his place of birth and last 4 digits of his social security number, a Bluetooth.TM. PDA, etc., is detected via a suitable device of the POS terminal”).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the above-noted disclosure of Benkreira and Jain to incorporate the disclosure of Rothschild as it relates to the use of a universal personal identifier for accessing patron information. The motivation for combining these references would have been to take advantage of streamlined services, improved data accuracy, and enhanced personalization by providing a consistent way to link a person's records across different systems.
Regarding Claim 15,
Claim 15 is substantially similar to the combination of claims 7 and claim 9, and hence rejected on similar grounds.
Examiner Request
7. The Applicant is request to indicate where in the specification there is support for amendments to claims should Applicant amend. The purpose of this is to reduce potential 35 U.S.C. §112(a) or §112 1st paragraph issues that can arise when claims are amended without support in the specification. The Examiner thanks the Applicant in advance.
Conclusion
8. Any inquiry concerning this communication or earlier communications from the examiner should be directed to BHAVIN SHAH whose telephone number is (571)272-2981. The examiner can normally be reached on M-F 9AM-6PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Bennett Sigmond can be reached on 303-297-4411. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/B.D.S./Examiner, Art Unit 3694
January 14, 2026
/BENNETT M SIGMOND/Supervisory Patent Examiner, Art Unit 3694