DETAILED ACTION
Notice of Pre-AIA or AIA Status
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
2. The information disclosure statement (IDS) submitted on 04/17/2025. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC §101
3. 35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
4. Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.
5. In the instant case, claims 1, 9, and 16 are directed to a “method, system, and non-transitory, computer-readable medium for disabling a contactless card for fraud prevention”.
6. Claim 1 recites “disabling a payment instrument for fraud prevention”. Specifically, claim recites “determining that the … card is fraudulent, comprising at least one selected from the group of determining that a trust level score of the … card is less than a trust level threshold, determining that the … card is lost, and determining that the … card is stolen; and disabling the … card, comprising at least one selected from the group of overwriting … on the … card, changing … keys on the … card, deleting … keys on the … card, changing a … key on the … card, and modifying a payment … on the … card to accept a … signal”. Subject matter grouped under “Certain methods of organizing human activity (e.g., fundamental economic principles and practices) and an abstract idea in prong one of step 2A (MPEP 2106.04(a)).
7. This judicial exception is not integrated into a practical application because, when analyzed under prong two of step 2A (MPEP 2106.04 II), the additional elements of claim 1 such as “a contactless card”, “an applet on the contactless card”, “public keys on the contactless card”, “public and private keys on the contactless card”, “a private key on the contactless card”, “a payment applet on the contactless card”, and “a temporary disabling signal” do no more than represent the use of a computer as a tool to perform an abstract idea in a particular technological environment or field of use, and therefore, neither improve computer functionality nor improve another technology or technical field. With respect to “overwriting an applet on the contactless card, changing public keys on the contactless card, deleting public and private keys on the contactless card, changing a private key on the contactless card, and modifying a payment applet on the contactless card to accept a temporary disabling signal”, the claim lacks details regarding what “overwriting an applet”, “changing public keys”, “deleting public and private keys”, “changing a private key”, and “modifying a payment applet” comprises. Therefore, as Applicant has neither placed a restriction on how “overwriting an applet”, “changing public keys”, “deleting public and private keys”, “changing a private key”, and “modifying a payment applet” are performed nor described how the functions are accomplished, the limitations do not integrate the abstract idea into a practical application and does not improve the functioning of a computer, or to another technology or technical field, as it is no more than “apply it” (MPEP2106.05(f)(1)).
8. When analyzed under step 2B (MPEP 2106.04 II), the claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception itself. Viewed as a whole, the combination of elements recited in the claims merely describe the concept of disabling a payment instrument for fraud prevention using computer technology (e.g., the processor). Therefore, the use of these additional elements does no more than employ a computer as a tool to automate and/or implement the abstract idea, which cannot provide significantly more than the abstract idea itself (MPEP 2106.05(I)(A)(f) & (h)).
9. Hence, claim 1 is not patent eligible.
10. Claim 9 and 16 also recite “disabling a payment instrument for fraud prevention”. Subject matter grouped under “Certain methods of organizing human activity (e.g., fundamental economic principles and practices) and an abstract idea in prong one of step 2A (MPEP 2106.04(a)).
11. As in the case of claim 1, the judicial exception is not integrated into a practical application because when analyzed under prong two of step 2A (MPEP 2106.04 II), the additional elements of the claims 9 and 16 such as “a contactless card”, “an applet on the contactless card”, “a server”, “a processor”, “a memory”, “an applet on the contactless card”, “public keys on the contactless card”, “public and private keys on the contactless card”, “a private key on the contactless card”, “a payment applet on the contactless card”, “a temporary disabling signal”, “a non-transitory, computer-readable medium”, and “a computer arrangement” represent the use of a computer as a tool to perform an abstract idea. The additional elements do no more than represent the use of a computer as a tool to perform an abstract idea in a particular technological environment or field of use, and therefore, neither improve computer functionality nor improve another technology or technical field. With respect to “overwriting an applet on the contactless card, changing public keys on the contactless card, deleting public and private keys on the contactless card, changing a private key on the contactless card, and modifying a payment applet on the contactless card to accept a temporary disabling signal”, the claim lacks details regarding what “overwriting an applet”, “changing public keys”, “deleting public and private keys”, “changing a private key”, and “modifying a payment applet” comprises. Therefore, as Applicant has neither placed a restriction on how “overwriting an applet”, “changing public keys”, “deleting public and private keys”, “changing a private key”, and “modifying a payment applet” are performed nor described how the functions are accomplished, the limitations do not integrate the abstract idea into a practical application and does not improve the functioning of a computer, or to another technology or technical field, as it is no more than “apply it” (MPEP 2106.05(f)(1)).
12. When analyzed under step 2B (MPEP 2106.04 II), the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception itself. Viewed as a whole, the combination of elements recited in the claims merely describe the concept of disabling a payment instrument for fraud prevention using computer technology (e.g., the processor). Therefore, the use of these additional elements does no more than employ a computer as a tool to automate and/or implement the abstract idea, which cannot provide significantly more than the abstract idea itself (MPEP 2106.05(I)(A)(f) & (h)).
13. Hence, claims 9 and 16 are not patent eligible.
14. Dependent claim 2 recites the additional element of “the applet on the contactless card is a Europay, Mastercard, and Visa (EMV) applet” which represents the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 3 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “wherein overwriting the … card permanently disables the … card”. The additional elements such as “the applet on the contactless card” and “the contactless card” represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 4 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “further comprising recovering the … key on the … card to reactivate the … card”. The additional elements such as “the private key on the contactless card” and “the contactless card” represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 5 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “establishing a fraudulent profile for the … card; and generating the trust level score of the … card based on the fraudulent profile”. The additional element such as “the contactless card” represent the use of a computer as a tool to perform an abstract idea and does no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 6 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “wherein changing … keys on the … card causes an initial authentication not to take place on the … card”. The additional elements such as “public keys on the contactless card” and “the contactless card” represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 7 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “wherein disabling the … card is conducted over …”. The additional elements such as “the contactless card”, “near field communication (NFC)” and “a phone” represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 8 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “wherein changing … keys on the … card is to permanently disable the … card”. The additional elements such as “public keys on the contactless card” and “the contactless card” represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 10 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “wherein … further configured to send a … command to the … card to temporary disable the … card”. The additional elements such as “the server”, “a signed command to the contactless card” and “the contactless card” represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 11 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “wherein disable the contactless card is conducted through a software development kit (SDK) embedded in a merchant website”. The additional elements such as “the server”, “the contactless card”, and “a signature with an embedded public key in the signed command” represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 12 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “wherein disable the … card is conducted through … embedded in a merchant …”. The additional elements such as “the contactless card”, “a software development kit (SDK)”, and “a merchant website” represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 13 the additional elements of “the SDK”, “one or more application programming interfaces (APIs)”, and “the server” which represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 14 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “wherein challenges and … keys are held … and communicated over …”. The additional elements such as “public keys”, “the server”, “the one or more APIs”, and “the SDK” represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 15 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “wherein … key … is used for mutual authentication of the … card and …”. The additional elements such as “public key cryptography”, “the contactless card”, and “the SDK” represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 17 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “wherein disabling the … card is conducted through … embedded in a merchant …”. The additional elements such as “the contactless card”, “a software development kit (SDK)”, and “a merchant website” represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 18 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “wherein the … card and … exchange … certificates containing their … keys, which opens a … communications … between the … card and …”. The additional elements such as “the contactless card”, “the SDK”, “digital certificates”, “public keys” and “a secure communications channel” represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 19 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “wherein … establishes a fraud profile of a user associated with the… card”. The additional elements such as “the SDK” and “the contactless card” represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Dependent claim 20 further describes the abstract idea of disabling a payment instrument for fraud prevention as recites “wherein … addresses are used to evaluate the fraud profile of the user.”. The additional elements such as “website cookies” and “internet protocol (IP) addresses” represent the use of a computer as a tool to perform an abstract idea and do no more than generally link the abstract idea to a particular field of use. And, therefore, do not improve the functioning of a computer, or to any other technology or technical field.
Conclusion
15. The claims as a whole do not amount to significantly more than the abstract idea itself. This is because the claims do not effect an improvement to another technology or technical field; the claims do not amount to an improvement to the functioning of a computer system itself; and the claims do not move beyond a general link of the use of an abstract idea to a particular technological environment.
16. Accordingly, there are no meaningful limitations in the claims that transform the judicial exception into a patent eligible application such that the claims amount to significantly more than the judicial exception itself.
Claim Rejections - 35 USC § 112
17. The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
18. Claim 2 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
19. Claim 2 recites “wherein the applet on the contactless card is a Europay, Mastercard, and Visa (EMV) applet”.
Claim contains the trademark/trade name “Europay”, “Mastercard”, “Visa”, and “EMV”. Where a trademark or trade name is used in a claim as a limitation to identify or describe a particular material or product, the claim does not comply with the requirements of 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph. See Ex parte Simpson, 218 USPQ 1020 (Bd. App. 1982). The claim scope is uncertain since the trademark or trade name cannot be used properly to identify any particular material or product. A trademark or trade name is used to identify a source of goods, and not the goods themselves. Thus, a trademark or trade name does not identify or describe the goods associated with the trademark or trade name. In the present case, the trademark/trade name is used to identify/describe “the contactless card” and, accordingly, the identification/description is indefinite.
Claim Rejections - 35 USC § 103
20. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
21. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
22. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
23. Claims 1-3, 5-11, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over US11336454B2 to Rule et al. in view of.US11658997B2 to Duane et al.
24. As per claims 1, 9, and 16:
Rule et al. discloses the following limitations:
A method of disabling a contactless card for fraud prevention, comprising (Col.34, lines 61-65 “the contactless card may be configured to communicate with a device so as to disable one or more capabilities or functionalities of the contactless card, including but not limited to, deactivation of an applet, such as a payment applet.”, col.31, lines 61-65 “a message may be transmitted to one of the applets of the card to inactivate the payment applet. One of the applets may set up a secure channel to the payment applet and deactivate the payment applet on the chip”)
determining that the contactless card is fraudulent, comprising at least one selected from the group of: (Col.36, lines 29-31 “wherein the first applet is configured to deactivate, via a communication path, the second applet based on exceeding one or more predetermined thresholds.”) determining that a trust level score of the contactless card is less than a trust level threshold (Col.36, lines 29-37 “wherein the first applet is configured to deactivate, via a communication path, the second applet based on exceeding one or more predetermined thresholds… the one or more predetermined thresholds include at least one selected from the group of user status, user history, account activity, account history, transaction limits, spending limits, time limits, location limits, good type limit, service type limit, merchant limit, and point of sale device type.”), determining that the contactless card is lost, and determining that the contactless card is stolen (col.31, lines 53-58 “Users may seek to lock a payment, transaction, or other type of card to prevent unauthorized activity, such as misuse or fraud. However, locking a user's card to prevent misuse or fraud at the user's request or upon detection of suspicious activity by the issuing institution is performed by backend server.”, (col.34, lines 61-65 “the contactless card may be configured to communicate with a device so as to disable one or more capabilities or functionalities of the contactless card, including but not limited to, deactivation of an applet, such as a payment applet.”)
disabling the contactless card, comprising at least one selected from the group of (Col.33, lines 4-6 “The first applet 1311 may be configured to deactivate the second applet 1313 via the one or more communication paths 1315”, col.33, lines 29-31 “The first applet 1311 of the contactless card 1305 may be configured to enable and disable the second applet 1313 of the contactless card 1305”) … modifying a payment applet on the contactless card to accept a temporary disabling signal (col.34, lines 40-43 “The second applet may be deactivated for a predetermined period of time. The second applet may be reactivated based on one or more gestures from the contactless card to the client device.”, col.31, lines 66-67 “the ability to reactivate the deactivated payment applet allows to restore the card usage.”, col.32, lines 27-29 “The second applet 1313 of the contactless card 1305 may include, but not be limited to, a payment applet.”, col.36, lines 46-48 “the second applet is reactivated when the transmitting device is positioned into a communication field of the device”).
Rule et al. does not disclose, however, Duane et al., as shown, teaches the following limitations:
[disabling] … overwriting an applet on the contactless card (Col.33, lines 11-13 “the OTP counter value of contactless card 1310 may be configured to destroy all keys, setting them to all zero.”, col.31, lines 43-46 “One way for a cryptographic device to respond to the detection of a potential attack is to render itself incapable of operation. This may be accomplished in a number of ways, including by erasing any keys within the device”), changing public keys on the contactless card (col.33, lines 11-13 “the OTP counter value of contactless card 1310 may be configured to destroy all keys, setting them to all zero.”), deleting public and private keys on the contactless card (col.33, lines 11-13 “the OTP counter value of contactless card 1310 may be configured to destroy all keys, setting them to all zero.”, col.31, lines 55-56 “internal security keys stored therein are deleted.”, col.2, lines 26-28 “destroy, responsive to one or more protective action requests transmitted by the at least one server, one or more keys of the contactless card.”), changing a private key on the contactless card (col.33, lines 11-13 “the OTP counter value of contactless card 1310 may be configured to destroy all keys, setting them to all zero.”, col.32, lines 54-57 “upon detection of an attack, the key may be destroyed to prevent an attacker from gaining access to the key, and the contactless card 1310 is forced into a state where it generates an OTP value indicating the attack.”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate an attack signaling system wherein the contactless card is configured to, upon detection of a potential attack, create a one-time password that indicative of the potential attack of Duane et al. (‘997, col/line 1/64-2/5) with teaching of Rule et al. for deactivating by the first applet the second applet based on exceeding one or more predetermined thresholds (‘454, col.2, lines 50-58) for destroying all keys, setting them to all zero, deleting stored internal security keys, responsive to one or more protective action requests transmitted by the at least one server destroying contactless card keys, and generating OTP value indicating an attack (‘997, col.33, lines 11-13, col.31, lines 55-56, col.32, lines 54-57).
As per claim 9 Rule et al. additionally discloses the following limitations:
A system of disabling a contactless card for fraud prevention, comprising a server, wherein the server comprise a processor and a memory coupled to the processor, and the server is configured to (Col.5, lines 34-36 “System 100 may include one or more servers 120. In some examples, server 120 may include one or more processors, which are coupled to memory.”, col.36, lines 29-31 “the first applet is configured to deactivate, via a communication path, the second applet based on exceeding one or more predetermined thresholds”)
As per claim 16 Rule et al. additionally discloses the following limitations:
A non-transitory, computer-readable medium comprising instructions for disabling a contactless card for fraud prevention that, when executed on a computer arrangement, perform actions comprising (Col.38, lines 14-16 “A computer readable non-transitory medium comprising computer-executable instructions that are executed on a processor and comprise the steps of:”, col.38, lines 33-35 “deactivating, via a communication path, the second applet based on one or more messages indicative of exceeding one or more predetermined thresholds.”)
25. As per claim 2:
Rule et al. discloses the following limitations:
wherein the applet on the contactless card is a Europay, Mastercard, and Visa (EMV) applet (Col.28, lines 61-63 “the contactless card can communicate payment information necessary to complete the transaction under the EMV standard”, col.32, lines 27-29 “The second applet 1313 of the contactless card 1305 may include, but not be limited to, a payment applet.”)
26. As per claim 3:
Rule et al. does not disclose, however, Duane et al., as shown, teaches the following limitations:
wherein overwriting the applet on the contactless card permanently disables the contactless card (col.33, lines 11-13 “the OTP counter value of contactless card 1310 may be configured to destroy all keys, setting them to all zero.”, col.31, lines 55-56 “internal security keys stored therein are deleted.”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate an attack signaling system wherein the contactless card is configured to, upon detection of a potential attack, create a one-time password that indicative of the potential attack of Duane et al. (‘997, col/line 1/64-2/5) with teaching of Rule et al. for deactivating by the first applet the second applet based on exceeding one or more predetermined thresholds (‘454, col.2, lines 50-58) for setting the all keys to zero, deleting stored internal security keys (‘997, col.33, lines 11-13, col.31, lines 55-56).
27. As per claim 5:
Rule et al. does not disclose, however, Duane et al., as shown, teaches the following limitations:
establishing a fraudulent profile for the contactless card (Col.37, lines 56-58 “establishing data communication with an engine so as to adjust a risk level of the user based on the detection of the potential attack.”)
generating the trust level score of the contactless card based on the fraudulent profile (col.24, lines 19-27 “when the authentication data uses a pATC equal to or lower than the previous value received by the authentication service, this may be interpreted as an attempt to replay an old message, and the authenticated may be rejected. In some examples, where the pATC is greater than the previous value received, this may be evaluated to determine if it is within an acceptable range or threshold, and if it exceeds or is outside the range or threshold, verification may be deemed to have failed or be unreliable.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate an attack signaling system wherein the contactless card is configured to, upon detection of a potential attack, create a one-time password that indicative of the potential attack of Duane et al. (‘997, col/line 1/64-2/5) with teaching of Rule et al. for deactivating by the first applet the second applet based on exceeding one or more predetermined thresholds (‘454, col.2, lines 50-58) for establishing data to adjust a risk level of the user based on the detection of the potential attack and determining whether an acceptable range or threshold, and verification may be deemed to have failed or be unreliable (‘997, col.37, lines 56-58, col.31, lines 55-56, col.24, lines 24-27).
28. As per claim 6:
Rule et al. discloses the following limitations:
wherein changing public keys on the contactless card causes an initial authentication not to take place on the contactless card (Col.36, lines11-12 “generate a diversified key using the diversified master key, one or more cryptographic algorithms, and the counter”, col.36, lines 26-28 “decrypt the encrypted transmission data and validate the cryptographic result using the one or more cryptographic algorithms and the session key”)
29. As per claim 7:
Rule et al. discloses the following limitations:
wherein disabling the contactless card is conducted over near field communication (NFC) from a phone (col.33, lines 4-6 “The first applet 1311 may be configured to deactivate the second applet 1313 via the one or more communication paths 1315.”, col.36, lines 46-48 “the second applet is reactivated when the transmitting device is positioned into a communication field of the device”)
30. As per claim 8:
Rule et al. does not disclose, however, Duane et al., as shown, teaches the following limitations:
wherein changing public keys on the contactless card is to permanently disable the contactless card (Col.33, lines 11-16 “the OTP counter value of contactless card 1310 may be configured to destroy all keys, setting them to all zero. Contactless card 1310 may be configured to transition to a state where the OTP counter value is no longer incremented and remains fixed at the maximum value.”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate an attack signaling system wherein the contactless card is configured to, upon detection of a potential attack, create a one-time password that indicative of the potential attack of Duane et al. (‘997, col/line 1/64-2/5) with teaching of Rule et al. for deactivating by the first applet the second applet based on exceeding one or more predetermined thresholds (‘454, col.2, lines 50-58) for destroying all keys, setting them to all zero by the OTP counter value, destroying contactless card keys, and generating OTP value indicating an attack (‘997, col.33, lines 11-16).
31. As per claim 10:
Rule et al. discloses the following limitations:
wherein the server is further configured to send a signed command to the contactless card to temporary disable the contactless card (col.34, lines 40-43 “The second applet may be deactivated for a predetermined period of time. The second applet may be reactivated based on one or more gestures from the contactless card to the client device”, col.36, lines 46-48 “the second applet is reactivated when the transmitting device is positioned into a communication field of the device”)
32. As per claim 11:
Rule et al. discloses the following limitations:
wherein the server is further configured to cause the contactless card to verify a signature with an embedded public key in the signed command (col.36, lines 4-6 “the memory comprises a diversified master key, transmission data, a first applet, a second applet, and a counter”, col.36, lines 11-12 “generate a diversified key using the diversified master key, one or more cryptographic algorithms, and the counter”)
33. Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over US11336454B2 to Rule et al. in view of US11658997B2 to Duane et al. and US8984648B2 to Marcovecchio et al.
34. As per claim 4:
Rule et al. does not disclose, however, Marcovecchio et al., as shown, teaches the following limitations:
recovering the private key on the contactless card to reactivate the contactless card (Col.12, lines 23-30 “the secure element 227 may include a security domain architecture to enable the service provider server 410 to perform key management and applet verification during load and installation processes. The secure element 227 may include an issuer security domain (ISD) which generally allows an applet 290 to be loaded into the secure element 227. The ISDs may be managed by the card manager 294.”, col.12, lines 33-35 “The ISD is the portion of the secure element 227 in which the MNO 414 may store the keys for OTA provisioning, card content management, and security domain management.”, col.11, lines 45-52 “the secure element 227 of the communication device 201 may only be configured or managed by instructions received from the TSM server 412, either directly or indirectly (e.g. via the NFC module 292). For example, referring again to FIG. 2, the addition, modification, or removal of an applet 290 may only be controlled by the TSM server 412 in some example embodiments. Communications or instructions from the TSM server 412 may be authenticated using at least the PKI.”, col.17, lines 5-15 “A method for managing, from a communication device, a secure element, the communication device having a non-secure-element memory for storing one or more device applications, the method being performed by the communication device and comprising: determining that an application stored on the secure element does not have an association with any of the device applications stored on the non-secure-element memory; in response to said determining, sending a communication to a server to delete the application from the secure element”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate an attack signaling system wherein the contactless card is configured to, upon detection of a potential attack, create a one-time password that indicative of the potential attack of Duane et al. (‘997, col/line 1/64-2/5) and a method for managing of a secure element from a communication device, which includes the removal of any "orphaned" applets from the secure element which are not associated with any of the device applications of Marcovecchio et al. (‘648, col.2, lines 1-4) with teaching of Rule et al. for deactivating by the first applet the second applet based on exceeding one or more predetermined thresholds (‘454, col.2, lines 50-58) for determining that an application stored on the secure element does not have an association with any of the stored device applications and in response sending a communication to a server to delete the application from the secure element (‘648, col.17, lines 11-15).
35. Claims 12-15 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over US11336454B2 to Rule et al. in view of US11658997B2 to Duane et al. and US10438176B2 to Johnson et al.
36. As per claims 12 and 17:
Neither Rule et al. nor Duane disclose, however, Johnson et al., as shown, teaches the following limitations:
wherein disable the contactless card is conducted through a software development kit (SDK) embedded in a merchant website (Col.19, lines 53-57 “In one implementation, a developer at the merchant site may copy and paste the XML formatted code from the MID-Platform UI into the merchant site source code 358 to generate updated merchant site UI with a new widget 359.”, col.11, lines 1-4 “In one implementation, the MID-Platform server 220 may send a checkout widget 234 to the merchant 250a-b so that the merchant may display a checkout lightbox (e.g., “V.me” checkout, etc.) if the merchant has an online shopping page”, col.75, lines 41-45 “upon registration information from the merchant, generate an application programming interface (API) key and a shared secret key for the merchant, said API key and said shared secret key for invoking the payment checkout widget at the site of the merchant”, col.75, lines 39-40 “send a payment checkout widget for the site of the merchant”, col.76, line 1 “wherein the site is a website”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate an attack signaling system wherein the contactless card is configured to, upon detection of a potential attack, create a one-time password that indicative of the potential attack of Duane et al. (‘997, col/line 1/64-2/5) and a method for providing an advertising tracking and payment platform which combines online tracking of consumer behaviors and merchant advertising into purchase data of Johnson et al. (‘176, col.3, lines 1-3) with teaching of Rule et al. for deactivating by the first applet the second applet based on exceeding one or more predetermined thresholds (‘454, col.2, lines 50-58) for sending the payment checkout widget to the site of the merchant, wherein the site is a website (‘176, col.75, lines 39-40).
37. As per claim 13:
Neither Rule et al. nor Duane disclose, however, Johnson et al., as shown, teaches the following limitations:
wherein the SDK communicates via one or more application programming interfaces (APIs) with the server (col.75, lines 41-45 “upon registration information from the merchant, generate an application programming interface (API) key and a shared secret key for the merchant, said API key and said shared secret key for invoking the payment checkout widget at the site of the merchant”, col.6, lines 1-7 “the merchant device (e.g., a web browser instantiated on a merchant computer, etc.) may provide a registration request 215a-b to the MID-Platform server 220 as a HTTP(S) POST message including XML-formatted data. An example listing of a merchant registration request message 215a-b, substantially in the form of a HTTP(S) POST message including XML-formatted data”, col.19, lines 50-52 “In one implementation, the MID-Platform server may generate an XML formatted API package (e.g., the widget 234 in FIG. 2A) and provide to the merchant”, col.75, lines 11-14 “formulating a payment transaction authorization request in a HTTP(S) POST message based on the previously assigned merchant ID and the payment request”, col.75, lines 4-5 “receiving, using one or more data processors, a payment request associated with a site of a merchant”, col.75, lines 53-58 “sending, using the one or more data processors, a payment processing request based on the payment request to the selected one account processor, wherein the one or more data processors invoke a transaction UI based on the API key and the shared secret key in response to sending”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate an attack signaling system wherein the contactless card is configured to, upon detection of a potential attack, create a one-time password that indicative of the potential attack of Duane et al. (‘997, col/line 1/64-2/5) and a method for providing an advertising tracking and payment platform which combines online tracking of consumer behaviors and merchant advertising into purchase data of Johnson et al. (‘176, col.3, lines 1-3) with teaching of Rule et al. for deactivating by the first applet the second applet based on exceeding one or more predetermined thresholds (‘454, col.2, lines 50-58) for generating an application programming interface (API) key and a shared secret key for the merchant, the API key and the shared secret key (‘176, col.75, lines 41-43).
37. As per claim 14:
Rule et al. discloses the following limitations:
wherein challenges and public keys are held by the server and communicated over the one or more APIs to the SDK (col.36, lines13-15 “generate a cryptographic result including the counter using one or more cryptographic algorithms and the diversified key”, col.36, lines 19-20 “transmit the cryptographic result and encrypted transmission data to the application”, col.36, lines 22-23 “generate an authentication diversified key based on the master key and a unique identifier”)
39. As per claim 15:
Rule et al. discloses the following limitations:
wherein public key cryptography is used for mutual authentication of the contactless card and the SDK (col.36, lines 11-12 “generate a diversified key using the diversified master key, one or more cryptographic algorithms, and the counter”, col.36, lines 22-28 “generate an authentication diversified key based on the master key and a unique identifier, generate a session key based on the authentication diversified key and the cryptographic result, and decrypt the encrypted transmission data and validate the cryptographic result using the one or more cryptographic algorithms and the session key”)
40. As per claim 18:
Rule et al. discloses the following limitations:
wherein the contactless card and the SDK exchange digital certificates containing their public keys, which opens a secure communications channel between the contactless card and the SDK (Col.36, lines 16-26 “encrypt the transmission data using the one or more cryptographic algorithms and the diversified key to yield encrypted transmission data…transmit the cryptographic result and encrypted transmission data to the application…generate a session key based on the authentication diversified key and the cryptographic result”)
41. As per claim 19:
Rule et al. discloses the following limitations:
wherein the SDK establishes a fraud profile of a user associated with the contactless card (col.36, lines 32-37 “one or more predetermined thresholds include at least one selected from the group of user status, user history, account activity, account history, transaction limits, spending limits, time limits, location limits, good type limit, service type limit, merchant limit, and point of sale device type”, col.36, lines 62-64 “he one or more servers are configured to monitor a time period associated with deactivation of the transmitting device”)
42. Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over US11336454B2 to Rule et al. in view of US11658997B2 to Duane et al. and US7908645B2 to Varghese et al.
43. As per claim 20:
Neither Rule et al. nor Duane et al. or Johnson et al. disclose, however, Varghese et al., as shown, teaches the following limitations:
wherein website cookies or internet protocol (IP) addresses are used to evaluate the fraud profile of the user (col.15, lines 32-34 “a secure token, e.g., a secure cookie, available from a device which has been previously used as a user device.”, col.15, lines 37-41 “If another request then originates from this device, the secure token can be retrieved and its contents compared against the currently-collected location and device information. Any mismatches can be weighted to form a score for use in risk analysis”, col.9, lines 59-61 “Basic authentication services can be limited to user device fingerprinting and confirmation of basic machine data, e.g., IP address, operating systems, device ID, and the like.”, col.9, lines 6-8 “This information can include blacklists and/or white-lists of devices with higher risk of fraud and with lower risk of fraud, respectively”, col.5, lines 64-67 “The present invention includes secure cookies, flash objects and other technologies to recognize and to fingerprint the from which device a user access an application, whether it is a computer, laptop, mobile device or any other”, col.47, lines 9-12 “wherein the third-party data providers comprises a device geolocation data provider, a device blacklist data provider, and a device whitelist data provider.”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate an attack signaling system wherein the contactless card is configured to, upon detection of a potential attack, create a one-time password that indicative of the potential attack of Duane et al. (‘997, col/line 1/64-2/5) and a method for enables a service provider to identify possible in-process fraudulent authentication transactions, based on both user and device historical data analysis of Varghese et al. (‘645, col.4, lines 37-39) with teaching of Rule et al. for deactivating by the first applet the second applet based on exceeding one or more predetermined thresholds (‘454, col.2, lines 50-58) for providing authentication services that can include a device fingerprinting and confirmation of basic machine data, e.g., IP address, operating systems, device ID and wherein third parties may include a device geolocation data provider, a device blacklist data provider, and a device whitelist data provider. (‘645, col.9, lines 59-61, col.47, lines 9-10).
Conclusion
44. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US10909527B2 – Rule et al. – Discloses system and methods for reissuing or otherwise altering information stored on contactless cards wherein the server can communicate with the client device to cause the client device to begin the card reissue process, such as when a data breach occurs, and when account has been breached for security purposes, the number associated with your old card has been disabled.
US11803837B2 – Singh – Discloses a system, method, and a smart contactless card to detect real-time suspicious card readers or other fraudulent devices. Prior to a transaction, the smart contactless card detects suspicious card readers or fraudulent devices. An alert may be generated upon detection of any suspicious or fraudulent card reader.
US20200104942A1 – Riechers et al. – Discloses a stored balance with multi-channel withdrawal access is described. In an example, a server of a payment processing service can determine a stored balance based on funds received from point-of-sale (POS) transactions processed via the payment processing service on behalf of a merchant. The stored balance can be maintained in a ledger of the payment processing service. The server can associate the stored balance with a payment instrument of the merchant.
US20100274712A1 – Mestre et al. – Discloses techniques for enabling performance of a quality control function on the contactless interface while the contactless interface is disabled. The techniques include implementing, on a dual-interface payment device, one or more security mechanisms, wherein the dual-interface payment device comprises a first interface and a second interface, using the one or more security mechanisms to prevent a subset of data corresponding to the first interface from being read using the second interface while allowing data corresponding to the second interface to be read using the first interface.
45. Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMANULLA ABDULLAEV whose telephone number is (571)272-4367. The examiner can normally be reached Monday-Friday 9:30AM -4:30PM ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ryan D Donlon can be reached at 571-270-3602. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/AMANULLA ABDULLAEV/Examiner, Art Unit 3692
/RYAN D DONLON/Supervisory Patent Examiner, Art Unit 3692 March 20, 2026