`
`PATENT AND TRADEMARK OFFICE
`
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`________________
`
`APPLE INC.,
`
`Petitioner,
`
`v.
`
`UNIVERSAL SECURE REGISTRY LLC,
`
`Patent Owner
`
`________________
`
`Case IPR2018-00812
`
`U.S. Patent No. 8,856,539
`
`________________
`
`PATENT OWNER’S SUR-REPLY
`
`
`
`TABLE OF CONTENTS
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`Page
`
`II.
`
`PATENT OWNER’S LIST OF EXHIBITS ............................................................ III
`I.
`REBER AND FRANKLIN FAIL TO DISCLOSE ACCOUNT
`IDENTIFYING INFORMATION NOT PROVIDED TO A
`PROVIDER ..................................................................................................... 1
`A.
`Patent Owner Properly Applied Petitioner’s Construction ................... 1
`B.
`No Motivation to Combine Reber and Franklin ................................... 3
`REBER AND FRANKLIN FAIL TO DISCLOSE “ACCESS
`RESTRICTIONS” ........................................................................................... 5
`A.
`Intrinsic Evidence Supports Patent Owner’s Construction While
`Petitioner’s Effective Construction is Impermissibly Broad ................ 5
`Reber and Franklin Fail to Disclose “Access Restrictions” ................ 10
`Reber and Franklin Fail to Disclose Third Party Limitation .............. 16
`Reber and Franklin Fail to Disclose “Receive a Transaction
`Request…” Limitations of Claims 1 and 22 ....................................... 23
`1.
`Intrinsic Evidence Supports Patent Owner’s Construction ...... 23
`2.
`Reber and Franklin Fail to Disclose “Receive a
`Transaction Request” ................................................................ 25
`Reber and Franklin Fail to Disclose Claims 3 and 24 ......................... 28
`E.
`III. CONCLUSION .............................................................................................. 29
`
`B.
`C.
`D.
`
`i
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`TABLE OF AUTHORITIES
`
`Page
`
`Cases
`Arendi S.A.R.L. v. Apple Inc.,
`832 F.3d 1355 (Fed. Cir. 2016) .................................................................... 12, 26
`Dayco Products, Inc. v. Total Containment, Inc.,
`258 F.3d 1317 (Fed. Cir. 2001) .........................................................................8, 9
`DSS Technology Management, Inc. v. Apple, Inc.,
`885 F.3d 1367 (Fed. Cir. 2018) ...........................................................................12
`In re: Stepan Company,
`868 F.3d 1342 (Fed. Cir. 2017) ...........................................................................28
`Leggett & Platt, Inc. v. Hickory Springs Mfg. Co.,
`285 F.3d 1353 (Fed. Cir. 2002) ............................................................................. 9
`Shire Development LLC v. Osmotica Kereskedelmi És Szolgaltato KFT,
`No. 1:12-CV-00904-AT, 2013 WL 11740203 (N.D. Georgia Sept. 25, 2013)..... 9
`Versa Corp. v. Ag-Bag Int’l Ltd.,
`392 F.3d 1325 (Fed. Cir. 2004) .........................................................................8, 9
`Statutory Authorities
`35 U.S.C. § 112 ................................................................................................. 2, 7, 9
`Rules and Regulations
`37 C.F.R. § 42.23(b) ................................................................................................17
`
`ii
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`Ex. 2101
`
`Ex. 2102
`
`Ex. 2103
`
`Ex. 2104
`
`Ex. 2105
`
`Ex. 2106
`
`Ex. 2107
`
`Ex. 2108
`
`Ex. 2109
`
`Ex. 2110
`
`Ex. 2111
`
`Ex. 2112
`
`Ex. 2113
`
`PATENT OWNER’S LIST OF EXHIBITS
`
`Declaration by Dr. Markus Jakobsson in Support of
`Patent Owner’s Preliminary Response
`
`Curriculum Vitae of Dr. Markus Jakobsson
`
`Declaration ISO of Unopposed Motion for Admission
`Pro Hac Vice of Jordan B. Kaericher.
`
`Declaration ISO of Unopposed Motion for Admission
`Pro Hac Vice of Harold A. Barza
`
`U.S. Application No. 11/768,729
`
`U.S. Application No. 09/710,703
`
`Declaration by Dr. Markus Jakobsson in Support of
`Motion to Amend
`Declaration of Dr. Markus Jakobsson in Support of
`Patent Owner’s Response
`
`Rough Deposition Transcript of Dr. Victor John Shoup
`
`Disclaimer of Claims 5-8, 17-20, 26-30
`
`Final Deposition Transcript of Dr. Victor John Shoup
`U.S. District Court for Delaware Report and
`Recommendation.
`
`Declaration by Dr. Markus Jakobsson in Support of
`Patent Owner’s Reply to MTA Opposition
`
`iii
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`Petitioner’s Reply—which introduces new arguments in violation of the
`
`Board’s rules—fails to remedy several deficiencies in its Petition.
`
`I.
`
`REBER AND FRANKLIN FAIL TO DISCLOSE ACCOUNT
`IDENTIFYING INFORMATION NOT PROVIDED TO A PROVIDER
`
`A.
`
`Patent Owner Properly Applied Petitioner’s Construction
`
`Petitioner contradicts itself when it argues that Patent Owner (PO) “Fails to
`
`Apply
`
`the Broadest Reasonable
`
`Interpretation of
`
`‘Account
`
`Identifying
`
`Information.’” Reply at 2. It was Petitioner—not Patent Owner—who previously
`
`argued that “[u]nder the broadest reasonable construction standard, the term
`
`‘account identifying information’ as used in the ’539 patent means ‘personal
`
`information about an entity such as name, address, or account number.’” Petition at
`
`16; see also id. at 21, 37-38. In its Response (POR [Paper 25]), PO showed that,
`
`under Petitioner’s own proffered construction, both Reber and Franklin fail to
`
`disclose that account identifying information is not provided to a provider because
`
`these references each disclose name and/or address information to the provider. POR
`
`at 27-32. Thus, PO’s analysis simply applied Petitioner’s construction, and did not
`
`“improperly narrow the claims.” Reply at 2.
`
`Backtracking on its own construction, Petitioner first contends that “claim 4
`
`of the ’539 patent explicitly requires the secure registry to transmit address
`
`information to the provider,” and, consequently, “independent claim 1 must be
`
`1
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`construed broadly enough to encompass transmission of address information to the
`
`provider.” Id. However, rather than require the secure registry to transmit address
`
`information to the provider, claim 4 requires the secure registry “to obtain the
`
`appropriate address for delivery of the item by the third party.” Ex. 1101 at cl. 4.1
`
`Next, while originally arguing that its construction for account identifying
`
`information “is supported by the patent specification” (Petition at 16), Petitioner now
`
`contends that PO’s application of Petitioner’s construction “is inconsistent with the
`
`’539 specification because the secure registry, in at least some embodiments, must
`
`send personal information, such as a user’s name or address.” Reply at 2. However,
`
`whether the ’539 specification provides examples where a user’s name or address is
`
`provided to a merchant is irrelevant: the claims define the scope of the invention, not
`
`the specification. 35 U.S.C. § 112. And here the claims unequivocally require that
`
`“account identifying information is not provided to the provider.”
`
`Petitioner cannot have it both ways, relying on its proposed broad construction
`
`of “account identifying information” in its Petition in an attempt to show that Reber
`
`and Franklin render the Challenged Claims unpatentable (see Petition at 21, 37-38),
`
`1 Emphasis added unless otherwise indicated.
`
`2
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`and then later distancing itself from its construction when it no longer benefits its
`
`arguments.
`
`B.
`
`No Motivation to Combine Reber and Franklin
`
`Petitioner fails to establish that a POSITA would not be motivated to combine
`
`Reber with Franklin regarding the above limitation. First, Petitioner argues that
`
`“Reber does not suggest that the user’s actual name or address are provided as part
`
`of a transaction,” and that Reber and Franklin only “in some instances” provide a
`
`name or address to a merchant. Reply at 5. This misapprehends Reber and Franklin.
`
`Reber explicitly states, “After approving the transaction, the computer 20 creates a
`
`record of the transaction. The record of the transaction includes data representative
`
`of…the party initiating the transaction, the item, a party associated with the item.”
`
`Ex. 1131, Reber at 5:32-37. These actions are not optional; Reber does not recite
`
`“may create” or “may include.” See id.
`
`Next, Reber unambiguously states that after computer 64 authenticates the
`
`end user’s second data element, “computer 64 sends a message indicating the
`
`transaction to the first party.” Id. at 6:18-20. While Reber does describe that the
`
`message “can include data representative of…a name associated with the second
`
`party, an address associated with the second party” (Id. at 6:20-23), Reber does not
`
`teach that the specific contents of the message, such as the end user’s name/address,
`
`3
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`is in any way based on security concerns of the merchant. See id. at 6:20-25.2 Indeed,
`
`Reber expresses no concern over dishonest merchants—Reber trusts merchants (see
`
`POR at 34)—and instead is worried about interception of a user’s personal
`
`identification number (PIN) by unauthorized parties while transmitting the PIN to a
`
`merchant. See id. at 1:52-54, 2:29-32. Similarly, Franklin also does not teach that its
`
`provision of the customer-specific data (e.g., “card-holder’s name, account number,
`
`etc.”) to the merchant is optional: “these input parameters are pre-known or made
`
`available to both the customer and the merchant.” Ex. 1132, Franklin at 5:30-31,
`
`9:55-58.
`
`A POSITA would understand Reber trusts merchants and relies on the
`
`merchant having at least the purchaser’s name and address so that the purchased
`
`items and corresponding invoices/receipts are delivered to the purchaser. Ex. 2108,
`
`2 Reber also repeatedly demonstrates what features are optional by expressly using
`
`the word “optionally” when describing certain components or actions that its system
`
`may, but is not required to, include or take. See, e.g., id. at 3:59-61, 4:28-30, 4:31-
`
`33, 6:25-28, 6:58-60, 7:4-6, 7:45-48, 7:53-55, 7:66-8:1, 8:21-22, 9:33-36. Tellingly,
`
`Reber does not teach that the message it unconditionally sends to the first party, or
`
`its contents, are “optional.”
`
`4
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`Jakobsson Decl. at ¶ 66. A POSITA would not be motivated to modify Reber to
`
`eliminate this step of sending the merchant the purchaser’s name and address
`
`information because it would frustrate Reber’s end goal of effectuating a transaction
`
`if the purchaser could not receive their purchased items. Id.
`
`II.
`
`REBER AND FRANKLIN FAIL TO DISCLOSE “ACCESS
`RESTRICTIONS”
`
`A.
`
`Intrinsic Evidence Supports Patent Owner’s Construction While
`Petitioner’s Effective Construction is Impermissibly Broad
`
`Petitioner disputes Patent Owner’s construction of “access restrictions for the
`
`provider to [secure data / at least one portion of secure data]” (hereinafter referred
`
`to as “access restrictions”). Reply at 6-10. Petitioner instead construes the term so
`
`that mere merchant identity validation satisfies the detailed claim limitation of
`
`“execut[ing] a restriction mechanism to determine compliance with any access
`
`restrictions for the provider to secure data of the entity for completing the
`
`transaction.” See Petition at 37. Petitioner is wrong.3
`
`3 Petitioner also alleges that Patent Owner’s construction is “unsupported even by
`
`its own expert.” Reply at 7. This is patently false. See, e.g., Ex. 2108, Jakobsson at
`
`¶¶50-52.
`
`5
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`First, Petitioner argues that the examples Dr. Jakobsson provided during his
`
`deposition do not support construing “access restrictions” to be “specific to the
`
`provider.” Reply at 7. Dr. Jakobsson’s testimony supports such a construction and
`
`further serves to show the impropriety of Petitioner’s position that merchant identity
`
`validation alone satisfies the claim. Dr. Jakobsson’s first example describes how a
`
`particular type of provider, such as gas stations, may be subject to access restrictions
`
`specific to them that limit the amount they can charge to a card during a period of
`
`time to prevent fraud. See Ex. 1137, Jakobsson Depo. 363:4-364:12. Imposition of
`
`this access restriction is (1) different than merchant identity validation alone since
`
`the gas station—a valid merchant authorized to conduct credit card transactions—is
`
`also subject to this access restriction, and (2) “specific to the provider” because the
`
`access restriction may only apply to gas stations and not other types of merchants.
`
`Dr. Jakobsson’s second example, related to access restrictions that may be in
`
`place for off-shore, online gambling sites, also supports PO’s proffered construction.
`
`See Ex. 1137, Jakobsson Depo. at 365:25-366:20. Such sites are valid merchants
`
`authorized to accept credit card deposits from users but may nonetheless be subject
`
`to access restrictions based on the geographical location of the user desiring the
`
`transaction (e.g., U.S.-based requests denied but Canada-based requests allowed).
`
`Here to, the access restrictions are specific to the provider (off-shore gambling sites),
`
`6
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`and determining compliance with such access restrictions (determining location of
`
`requester) goes beyond merchant identity verification alone.
`
`Petitioner also fruitlessly argues that PO’s construction should be rejected
`
`because some embodiments in the ’539 patent describe examples where access to
`
`secure data is given “without the need for merchant-specific permissions.” Reply at
`
`8. However, whether the ’539 specification provides examples where secure data is
`
`accessed without satisfying merchant-specific restrictions is irrelevant: the claims
`
`define the scope of the invention, not the specification. 35 U.S.C. § 112. Here, the
`
`claims expressly require that the secure registry “execute a restriction mechanism to
`
`determine compliance with any access restrictions for the provider to secure data of
`
`the entity for completing the transaction.” See, e.g., Ex. 1101 at cl. 1.
`
`Second, Petitioner argues that “[n]othing in the ’539 claims suggests that the
`
`access restrictions determine which specific data may be accessed,” and that
`
`“[b]ecause ‘secure data’ is not limited to any specific data type, USR’s proposed
`
`limitation is improper.” Reply at 8-9. But the proposed construction is silent about
`
`“data type[s].” See POR (Paper 25) at 21. Instead, PO’s proffered construction only
`
`specifies “what secure data may or may not be accessed,” not “what type.” And
`
`ample intrinsic evidence exists that provides support for PO’s construction. For
`
`example, the ’539 patent discloses that “access information 34” stored in each entry
`
`7
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`30 of the secure registry’s database 24 allows “different levels of security to attach
`
`to different types of information stored in the entry 30” so that the user can specify
`
`which providers can have access to select, specific data such as credit card numbers,
`
`medical information, and tax information. See Ex. 1001 at 8:62-9:11; FIGS. 1, 3; see
`
`also id. at 9:1-6, 14:26-33.
`
`Third, Petitioner contends that “access restrictions” do not require “two or
`
`more” restrictions, relying on Versa Corp. v. Ag-Bag Int’l Ltd., 392 F.3d 1325, 1330
`
`(Fed. Cir. 2004) and Dayco Products, Inc. v. Total Containment, Inc., 258 F.3d 1317,
`
`1328 (Fed. Cir. 2001). Reply at 9-10. However, these two cases are readily
`
`distinguishable.
`
`In Versa Corp., the alleged infringer argued that an independent claim’s
`
`means-plus-function plural recitation of “channels” suggested the claim required
`
`both a recited perforated pipe and flutes since a perforated pipe alone did not create
`
`multiple channels. 392 F.3d at 1330. In rejecting this contention, the Court focused
`
`on the “context” of the claim language to hold that under the doctrine of claim
`
`differentiation a dependent claim also requiring flutes would be superfluous unless
`
`the independent claim were read to not require flutes. Id. at 1329-1330.
`
`The present claims’ use of “access restrictions” in the plural, however,
`
`presents no such contextual issues. Reading “access restrictions” to require “two or
`
`8
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`more restrictions” does not render any other claims superfluous under the doctrine
`
`of claim differentiation, nor are the recited claims means-plus-function claims. See
`
`Shire Development LLC v. Osmotica Kereskedelmi És Szolgaltato KFT, No. 1:12-
`
`CV-00904-AT, 2013 WL 11740203, at *14 (N.D. Georgia Sept. 25, 2013) (Holding
`
`the plural claim terms “substances” and “compounds” to mean “at least two
`
`substances” and “at
`
`least
`
`two compounds,” respectively, and expressly
`
`distinguishing Versa Corp. because of its reliance on §112, ¶6 and claim
`
`differentiation.)
`
`Dayco is similarly distinguishable. Like Versa Corp., Dayco also involved
`
`interpreting a plural term based on claim differentiation. See Dayco, 258 F.3d at
`
`1328; see also Shire Development, 2013 WL 11740203, at *14 (distinguishing
`
`Dayco for involving claim differentiation). But the ’539 patent claims do not use the
`
`terms “plurality,” “one or more,” “two or more,” or the like, as Dayco. Moreover,
`
`the context of the ’539 patent claims does not require that “access restrictions” be
`
`construed inconsistent with its ordinary and accepted meaning, as there are no claim
`
`differentiation issues. As such, the plural recitation of “access restrictions” requires
`
`construction as “two or more restrictions….” See also Leggett & Platt, Inc. v.
`
`Hickory Springs Mfg. Co., 285 F.3d 1353, 1357 (Fed. Cir. 2002) (Holding that “the
`
`9
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`claim recites ‘support wires’ in the plural, thus requiring more than one welded
`
`‘support wire.’”)
`
`Petitioner also argues that “the claim language contemplates determining
`
`compliance with ‘any’ access restrictions, compelling the conclusion that not even
`
`one access restriction is required.” Reply at 9-10. But the term “any” does not negate
`
`the requirement that “access restrictions” be construed to require “two or more
`
`restrictions.” Instead, the ordinary and accepted meaning of “any” in context of the
`
`claim limitation would mean any of the two or more restrictions specific to the
`
`provider.
`
`B.
`
`Reber and Franklin Fail to Disclose “Access Restrictions”
`
`As an initial matter, Petitioner does not dispute that under Patent Owner’s
`
`proffered construction for “access restrictions,” Reber and Franklin fail to teach or
`
`disclose two or more access restrictions. See Reply at 9-14. Rather, Petitioner only
`
`argues that PO’s construction requiring “two or more” is improper. See Reply at 9-
`
`10. Adopting PO’s proposed construction for “access restrictions” as requiring “two
`
`or more” would merit denial of the Petition as to Challenged Claims 1-3, 16, 21-24,
`
`and 37.
`
`First, Petitioner alleges that PO “wholly overlooks Reber’s express teaching
`
`that limiting merchant access to sensitive data is critical.” (Reply at 11, citing
`
`10
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`Ex. 1131, Reber at 1:46-49, 2:29-32). On the contrary, Reber does not expressly
`
`teach that merchant access to sensitive data is limited. The cited portions of Reber
`
`make clear that Reber is instead concerned with interception of a user’s credit card
`
`number and/or PIN by unauthorized parties (e.g., eavesdroppers) and not dishonest
`
`merchants. Ex. 1131, Reber at 1:46-49, 2:29-32; see also id. at 1:52-54 (addressing
`
`interception and subsequent use of PIN by unauthorized parties).
`
`Therefore, it would not “have been an obvious part of any transaction using
`
`Reber’s systems” to “determin[e] whether a transacting merchant (such as Reber’s
`
`computer 20) has one or more restrictions on its access” to secure data that “the user
`
`deems to be sensitive and not suitable for provision to a merchant” (Reply at 11,
`
`citing Ex. 1131, Reber at 6:17-29) because Reber is not concerned with dishonest
`
`merchants and does not describe limiting merchant access to user data. See id. at
`
`1:46-54, 2:29-32. Indeed, Reber describes multiple instances where its system
`
`provides sensitive data to the alleged merchant (computer 20) for processing. Id. at
`
`5:32-37 (computer 20 “creates a record of the transaction” that “includes data
`
`representative of…the party initiating the transaction.”); 5:39-43 (send item to
`
`party); 6:19-24 (computer 64 sends merchant a message that can include user’s name
`
`and address). Finally, Reber also describes how in at least one embodiment computer
`
`20 is entrusted with the database of entries to translate the received second data
`
`11
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`element (alleged time-varying code) and approve the transaction. See id. at 5:4-15.
`
`Thus, Reber fails to disclose that its system addresses dishonest merchants, instead
`
`providing numerous examples demonstrating that it trusts merchants.
`
`Second, Petitioner argues that “Franklin’s discussion of ‘merchant validation’
`
`(Ex-1132, Franklin, 11:38-47) would have encompassed the claimed ‘compliance
`
`with any access restrictions.’” Reply at 11-12. However, besides its expert’s
`
`testimony (See Ex. 1135, Shoup Decl. at ¶34), Petitioner provides no evidence to
`
`support this contention. Petitioner’s reliance on expert extrapolation to supply this
`
`missing limitation is insufficient to show obviousness.
`
`The Federal Circuit has explained that “common sense” should not typically
`
`be used to supply a missing limitation. Arendi S.A.R.L. v. Apple Inc., 832 F.3d 1355,
`
`1361–62 (Fed. Cir. 2016) (overturning obviousness determination and Board’s
`
`reliance on common sense to supply a missing limitation); DSS Technology
`
`Management, Inc. v. Apple, Inc., 885 F.3d 1367, 1374 (Fed. Cir. 2018) (same).
`
`Where “common sense is used to supply a missing limitation, as distinct from a
`
`motivation to combine,” the Board’s “search for a reasoned basis for resort to
`
`common sense must be searching.” Arendi, 832 F.3d 1361-62 (“common sense is
`
`typically invoked to provide a known motivation to combine, not to supply a missing
`
`claim limitation.”) (emphasis in the original); see also Cisco System, Inc. et al. v.
`
`12
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`Oyster Optics, LLC, IPR2017-01881, Paper No. 29, slip op. 44 (Feb. 26, 2019)
`
`(rejecting Petitioner’s attempt to “fill in the missing transmitter” limitation based
`
`upon its expert’s testimony that “a POSITA would have understood the node
`
`incorporating the receiver in [the prior art at] FIG. 2 would have also included a
`
`transmitter”).
`
`Here, Petitioner concedes that Franklin’s discussion concerning merchant
`
`validation by the acquiring bank does not expressly teach “access restrictions,” and
`
`instead Petitioner relies upon its expert’s assertion that “a POSITA would have
`
`understood that validating a merchant during a transaction…would involve not only
`
`confirming the merchant’s identity, but also ensuring that the validated merchant is
`
`entitled to the access it seeks before forwarding that request to the issuing bank for
`
`approval.” Reply at 11-12. This allegation is nothing more than the type of “common
`
`sense” argument that the Federal Circuit and Board have repeatedly rejected. Indeed,
`
`Petitioner’s contention is not proffered as a motivation to combine Franklin with
`
`Reber, but serves only to extrapolate Franklin’s teaching of merchant identity
`
`validation at an acquiring bank to something significantly more: a determination that
`
`a provider has complied with access restrictions in place for a provider before
`
`allowing access to secure data. No such teaching is made in Franklin and Petitioner’s
`
`attempt to extrapolate such a teaching from Franklin runs counter to case law.
`
`13
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`Moreover, Dr. Jakobsson explained that a POSITA would understand that
`
`merchant validation is not the same thing as determining compliance with “access
`
`restrictions,” even provided two real-world examples during his deposition
`
`highlighting this distinction. See Ex. 1137, Jakobsson Depo. 363:4-364:12, 365:25-
`
`366; see also Ex. 2108, Jakobsson Decl. at ¶¶71-72.
`
`Third, Petitioner contends “Franklin expressly discloses that the acquiring
`
`bank receives a request for authorization and subsequently validates both the
`
`merchant identity [indication of the provider] and the time-varying credit card
`
`number [time-varying multicharacter code] simultaneously.” Reply at 12 (citing
`
`Ex. 1132, Franklin at 11:33-49).4 Petitioner mischaracterizes Franklin’s teachings.
`
`In Franklin, the acquiring bank does not validate the proxy credit card number (i.e.,
`
`transaction number); that task is explicitly carried out by the issuing bank through a
`
`complex process requiring “test MAC” generation and comparison. See Ex. 1132,
`
`4 This is a new argument presented by Petitioner and it should be disregarded by
`
`the Board. In its Petition, Petitioner relied on Franklin’s discussion of merchant
`
`validation only to show that compliance with “access restrictions” was based on an
`
`“indication of the provider,” not “time-varying multicharacter code.” See Petition at
`
`37.
`
`14
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`Franklin at 11:46-12:33. A POSITA would understand that Franklin’s passing
`
`remark about the acquiring bank verifying “the credit card number represents a valid
`
`number” simply means that it checks to ensure that the card number meets certain
`
`basic requirements for credit card numbers (e.g., correct number of digits, doesn’t
`
`include letters, etc.). Indeed, the acquiring bank does not possess the customer
`
`database 62—which includes the customer’s private key and customer-related
`
`data—needed to validate the proxy credit card number. See, e.g., 12:1-26. Moreover,
`
`Franklin stresses that the merchant (and by extension the merchant’s acquiring bank)
`
`would not know that the proxy card number is not a standard credit card number.
`
`See, e.g., Ex. 1132, Franklin at 3:7-11.
`
`Furthermore, Franklin’s issuing bank, which does perform proxy card number
`
`validation, is a separate entity from the acquiring bank. See Ex. 1132, Franklin at
`
`11:39-49 (acquiring bank “not shown” in FIG. 7; “acquiring bank then
`
`forwards…request to the issuing bank”). Recognizing this deficiency, Petitioner
`
`argues for the first time that “it would have been obvious simply to perform the
`
`merchant validation procedure at the issuing bank…. One reason for organizing the
`
`system in this way would be to increase efficiency….” Reply at 12-13. The Board
`
`should ignore these new arguments since they could have been raised in the Petition
`
`and, at this stage in the proceeding, such new arguments prejudice PO who cannot
`
`15
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`introduce new evidence, such as expert testimony, to refute Petitioner’s claims. See
`
`PTAB Trial Practice Guide August 2018 Update (“TPG Update”), 14. However, to
`
`the extent these new contentions are considered, Petitioner again falls short.
`
`Petitioner’s new modification to Franklin, which rolls in merchant validation
`
`into the issuing bank, still does not address whether determination of compliance
`
`with any access restrictions for the provider is based at least in part on the time-
`
`varying multicharacter code of the transaction request. Franklin says nothing about
`
`whether the merchant who sent the transaction request complies with any access
`
`restrictions specific to the merchant.
`
`For at least these reasons above, Petitioner fails to show that Franklin and
`
`Reber render obvious “access restrictions.”
`
`C.
`
`Reber and Franklin Fail to Disclose Third Party Limitation
`
`Patent Owner advanced numerous arguments concerning why the Petition
`
`failed to show that Reber and Franklin disclosed “the account identifying
`
`information is provided to a third party to enable or deny the transaction with the
`
`provider” (hereinafter “third party limitation”), and why the Petition failed to show
`
`that it would be obvious to combine Reber and Franklin. See POR at 45-55. Instead
`
`of addressing Patent Owner’s rebuttal head-on, Petitioner chose to ignore the
`
`Petition’s contentions, and PO’s responses thereto, and instead present entirely new
`
`16
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`arguments for why Reber and Franklin disclose the third party limitation, and why a
`
`POSITA would be motivated to combine/modify Reber and Franklin to achieve this
`
`limitation. These new arguments prejudice PO and must be disregarded because they
`
`attempt to make out new theories of unpatentability that could have been presented
`
`earlier, but were not. See TPG Update, 14; See also 37 C.F.R. § 42.23(b).
`
`First, Petitioner argues for the first time that “Reber discusses the ability of
`
`the computer 64…to direct a third party (or parties) to credit and debit the provider
`
`and entity accounts…as a potential alternative to simply authenticating the
`
`transaction itself.” Reply at 14-15 (citing Ex. 1131, Reber at 6:25-28). By contrast,
`
`the Petition asserts that “Reber is described in terms of a transaction between two
`
`parties wherein a remote database performs a comparison and authentication of the
`
`transacting party’s identity,” couching its argument based on “what party controls
`
`the remote computer and database.” See Petition at 40. Now, for the first time,
`
`Petitioner pivots in an entirely new direction to argue that Reber alone discloses a
`
`third party because computer 64 “could take on a role as an intermediary…that
`
`directs” “a third party (such as a bank) to credit and debit accounts.” Reply at 14-15.
`
`The Board should disregard this new argument.
`
`Even considering Petitioner’s new position, Reber fails to satisfy the third
`
`party limitation. The cited portion of Reber (Ex. 1131, Reber at 6:25-28) does not
`
`17
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`mention a third party, or teach that computer 64 directs a third party. See id. Instead,
`
`the context of Petitioner’s citation reveals that Reber describes the various actions
`
`the computer 64 itself takes, including authenticating the second data element,
`
`sending a message indicating the transaction to a first party, and optionally, directing
`
`that accounts be credited/debited. See Ex. 1131, Reber at 6:17-28. Moreover,
`
`Dr. Jakobsson did not agree that a POSITA would understand the cited portion of
`
`Reber as teaching the computer 64 to direct a third party to credit/debit accounts.
`
`Instead, Dr. Jakobsson testified that 6:17-18 of Reber provides context to 6:25-28
`
`and makes it “very clear…[t]he direction is not the third party. The direction must
`
`be the computer performing the task or directing a portion of the computer [64].”
`
`Ex. 1137, Jakobsson Depo. at 434:11-18.
`
`Second, Petitioner’s newly presented contentions concerning Franklin—
`
`including newly annotated figures—are even more prejudicial. Petitioner’s Reply
`
`presents a combination of Reber and Franklin that sets forth an entirely new
`
`“architecture that hosts the functionality necessary to authenticate an external card
`
`number in one data center (shown in the modified Figure 1 below in red) and then
`
`involve a third party bank or other financial institution to receive sensitive user
`
`account information and conduct authentication as a traditional backend (shown
`
`18
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`below in green).” Reply at 16-17; compare Annotated FIG. 1 of Reply at 17 (shown
`
`below) with Annotated FIG. 1 of Petition at 25.
`
`Petitioner’s Reply goes on to include another newly annotated figure of
`
`Franklin to argue for the first time that Franklin’s issuing bank should be considered
`
`as two distinct entities (secure registry in red and third party in green). Reply at 16,
`
`18; compare Annotated FIG. 7 of Reply at 18 (shown below) with Annotated FIG.
`
`7 of Petition at 27.
`
`19
`
`
`
`Case No. IPR2018-00812
`U.S. Patent No. 8,856,539
`
`Petitioner also presents new motivations to combine in its Reply. See Reply
`
`at 18-19 (“minimize changes to the software running existing processing systems,”
`
`“existing infrastructure should be left