Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
This Office Action is in response to the RCE filed by the applicant on July 15, 2020.
Claims 1-5 and 7-17 are currently pending and are being examined.
Claims 1, 3, 4, 7, 9, 13, and 15 have been newly amended.

Response to Arguments
Arguments Regarding 35 U.S.C. 103
	Applicant's arguments with respect to claims 1-5 and 7-17 have been considered but are moot in view of the new ground(s) of rejection.

Arguments Regarding 35 U.S.C. 101
	On page 9 of their response, the applicant argues that, “Instead, similar to DDR Holdings, ‘the claimed solution is necessarily rooted in computer technology in order to overcome a problem specifically arising in the realm of computer’ analysis.” The examiner respectfully disagrees. Specifically, the examiner notes that the use of a token to process payment requests, as recited in the claims, does not provide a technical solution to a technical problem. While such a system may provide benefits/improvements to the business process (e.g. reducing the financial burden on merchants by eliminating their need for expensive transaction processing systems), these benefits are financial in nature. The claims, as currently drafted, do not indicate an improvement to transaction processing 
	On pages 11 and 12 of their response, the applicant argues that, “claim 1, when taken as a whole, eliminates the necessity of the shopping platform to operate within a PCI (Payment Card Industry) region, and therefore relives the shopping platform of the additional technical requirements necessary to comply with the PCI standard. These improvements clearly constitute a practical application of any allegedly abstract idea.” The examiner respectfully disagrees. As mentioned above, eliminating the need for shopping platforms to comply with PCI standards does not integrate the abstract idea into a practical application. This may provide financial benefits to the shopping platform. However, this does not constitute an improvement to payment processing technology.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 3, 9, and 15 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding claims 3, 9, and 15, these claims state, “wherein the credit card information comprises the credit card security code.” However, Independent claims 1, 7, and 13 state that the credit card from the personal account of the user according to the credit card security code.” These statements appear to be contradictory. Claims 3, 9, and 13 state that the credit card information comprises the credit card security code. However, claims 1, 7, and 13 state that the credit card security code is used to obtain the credit card information from a user account. It appears that claims 3, 9, and 15 are stating that the security code is used to obtain the credit card information (i.e. the security code). Therefore, the meaning of claims 3, 9, and 15 is unclear.
For the purpose of examination, claims 3, 9, and 15 have been interpreted as stating, “wherein the credit card information is associated with the credit card security code.” However, appropriate clarification is required.


Claim Rejections - 35 USC § 101
	35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-5 and 7-17 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claims recite an abstract idea of organizing human activities. This judicial exception is not integrated into a practical application and the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. 

Step 1
First of all, the claims are directed to a process (claims 1-5 and 7-17). 

Step 2A: Prong 1
Claim 1 recites an abstract idea of, “receiving the credit card information… generating a payment token representing the credit card information…; sending the payment token to… submit a first payment request comprising the payment token; receiving… a second payment request including the payment token, wherein the second payment request is generated… based on the first payment request…; locating the credit card information based on the payment token and the corresponding relationship between the credit card information and the payment token; and processing the second payment request based on the credit card information.”
This claim, as a whole, recites a method of organizing human activity because the claim recites a process that allows a user to complete a transaction using a token. This is an abstract idea of a certain method of organizing human activity, since it recites a commercial interaction, namely conducting a transaction using a token. The mere nominal recitation of generic computer components does not take the claim out of the methods of organizing human activity grouping. Thus, the claim is directed to an abstract idea.

Step 2A: Prong 2
Besides reciting the abstract idea, the remaining claim limitations (additional elements) recite generic computer components (e.g. payment server, client, application server). The recited abstract idea is not integrated into a practical application. In particular, claim 1 recites generic computer components (e.g. payment server and client) to receive/transmit/analyze data and perform the tokenized transaction. Similarly, merely stating that the payment server operates in a PCI region, and that the application server does not operate in a PCI region, does not integrate the abstract idea into a practical application. Rather, such statements merely provide additional detail regarding the security standards that must be satisfied by the payment server and the application server. Additionally, stating that the 

Claim 1 also includes the additional elements of:
receiving a login of a user into a personal account of the user,
receiving a credit card security code of the user,
obtaining credit card information from the personal account of the user according to the credit card security code, wherein the credit card information is pre-bound to the credit card security code, and
sending the credit card information to a payment server
	These limitations merely states that the system gathers and transmits information associated with the user (e.g. login information, a security code, and credit card information). These limitations amount to no more than mere data gathering/transmitting, which are forms of insignificant extra-solution activity (See MPEP 2016.05(g): CyberSource v. Retail Decisions, Inc., 654 F.3d 1366, 1375 (Fed. Cir. 2011); and OIP Techs., Inc. v. Amazon.com, Inc., 788 F.3d 1359, 1363 (Fed. Cir. 2015)).

Claim 1 also includes the additional elements of:
“storing the credit card information;” and
“storing a corresponding relationship between the credit card information and the payment token”
 Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334 (Fed. Cir. 2015); and OIP Techs., 788 F.3d at 1363).

Additionally, claim 1 shows no improvement to the functionality of any computer technology. Accordingly, these additional elements, when considered both individually and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Therefore, claim 1 is directed to an abstract idea.
	
Step 2B
	Claim 1 does not include additional elements that amount to significantly more than the judicial exception. For the same reasons as described above, with respect to integration of the abstract idea into a practical application, claim 1 does not amount to significantly more than the judicial exception. Regarding the computer related components, they amount to no more than mere instructions to apply the abstract idea using generic computer components. 
	The limitations which state, “receiving a login of a user into a personal account of the user, receiving a credit card security code of the user, obtaining credit card information from the personal account of the user according to the credit card security code, wherein the credit card information is pre-bound to the credit card security code, and sending the credit card information to a payment server,” described above as insignificant extra-solution activity have been re-evaluated in step 2B. As stated in MPEP 2106.05(d), a factual determination is required to support a conclusion that an additional element (or combination of additional elements) is well-understood, routine, conventional activity (Berkheimer v. HP, Inc., 881 F.3d 1360, 1368 (Fed. Cir. 2018)). In view of this requirement set forth by Berkheimer, this OIP Techs., Inc., v. Amazon.com, Inc., 788 F.3d 1359, 1363 (Fed. Cir. 2015); and buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355, (Fed. Cir. 2014)).
	The limitations which state “storing the credit card information; and storing a corresponding relationship between the credit card information and the payment token” described above as insignificant extra-solution activity have been re-evaluated in step 2B. As stated in MPEP 2106.05(d), a factual determination is required to support a conclusion that an additional element (or combination of additional elements) is well-understood, routine, conventional activity (Berkheimer v. HP, Inc., 881 F.3d 1360, 1368 (Fed. Cir. 2018)). In view of this requirement set forth by Berkheimer, this limitation does not integrate the abstract idea into a practical application, or amount to significantly more than the abstract idea, because the courts have found the concept of mere data storing to be well-understood, routine, and conventional activity (See MPEP 2016.05(d): Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334 (Fed. Cir. 2015); and OIP Techs., 788 F.3d at 1363).
	Therefore, claim 1 is not patent eligible under 35 U.S.C. 101.

Additional Independent Claims
	Similar arguments can be made for independent claims 7 and 13:
	Regarding claim 7, this claim recites the abstract idea of, “sending a first payment request… the first payment request including a payment token representing the credit card information; receiving a first payment request… the payment request including a payment token representing credit card information… and sending a second payment request, the second payment request including the payment token… to locate the credit card information based on the payment token and process the second payment request based on the credit card information… locat[ing] the credit card information based on the payment token and the corresponding relationship between the credit card information and the payment token…”
	Similarly to claim 1 described above, this claim recites abstract idea of a certain method of organizing human activity, since it recites a commercial interaction, namely conducting a transaction using a token. The limitations of claim 7 are substantially similar to those recited in claim 1, and, as a result, are rejected under a similar rationale as claim 1. 
	Besides reciting the abstract idea, claim 7 recites generic computer components (e.g. payment server, client, application server). The recited abstract idea is not integrated into a practical application. In particular, claim 7 recites generic computer components (e.g. payment server and client) to receive/transmit/analyze data and perform the tokenized transaction. Similarly, merely stating that the payment server operates in a PCI region, and that the application server does not operate in a PCI region, does not integrate the abstract idea into a practical application (as described above). Therefore, these additional elements are recited at a high level of generality such that they amount to no more than mere instructions to apply the exception using generic computer components.
	The limitations which state, “receiving a login of a user into a personal account of the user, receiving a credit card security code of the user, obtaining credit card information from the personal account of the user according to the credit card security code, wherein the credit card information is pre-bound to the credit card security code, and sending the credit card information to a payment server,” amount to no more than insignificant extra-solution activity, namely gathering/transmitting data (as described above regarding claim 1).
	Similarly, the limitation which states, “wherein the credit card information, and a relationship between the credit card information and the payment token, are stored at the payment server.” Amounts to no more than insignificant extra-solution activity, namely merely storing data. Such  Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334 (Fed. Cir. 2015); and OIP Techs., 788 F.3d at 1363). 
	
	Regarding claim 13, this claim recites the abstract idea of, “obtaining a payment token representing the credit card information… submitting a first payment request… the first payment request including the payment token, wherein, responsive to receiving the first payment request… submits a second payment request to the payment server, the second payment request including the payment token… to locate the credit card information based on the payment token and process the second payment request based on the credit card information… wherein the payment server locates the credit card information based on the payment token and the relationship between credit card information and payment token…”
	Similarly to claim 1 described above, this claim recites abstract idea of a certain method of organizing human activity, since it recites a commercial interaction, namely conducting a transaction using a token. The limitations of claim 13 are substantially similar to those recited in claim 1, and, as a result, are rejected under a similar rationale as claim 1.
	Besides reciting the abstract idea, claim 13 recites generic computer components (e.g. payment server, client, application server). The recited abstract idea is not integrated into a practical application. In particular, claim 13 recites generic computer components (e.g. payment server and client) to receive/transmit/analyze data and perform the tokenized transaction. Similarly, merely stating that the payment server operates in a PCI region, and that the application server does not operate in a PCI region, does not integrate the abstract idea into a practical application (as described above). Therefore, 
	The limitations which state, “receiving a login of a user into a personal account of the user, receiving a credit card security code of the user, obtaining credit card information from the personal account of the user according to the credit card security code, wherein the credit card information is pre-bound to the credit card security code, and sending the credit card information to a payment server,” amount to no more than insignificant extra-solution activity, namely gathering/transmitting data (as described above regarding claim 1).
	Similarly, the limitation which states, “wherein the credit card information, and a relationship between the credit card information and the payment token, are stored at the payment server.” Amounts to no more than insignificant extra-solution activity, namely merely storing data. Such limitations do not integrate the abstract idea into a practical application because the courts have found the concept of mere data storing to be well-understood, routine, and conventional activity (See MPEP 2016.05(d): Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334 (Fed. Cir. 2015); and OIP Techs., 788 F.3d at 1363).

Dependent Claims
	Dependent claims 2-5, 8-12, and 14-17 are also rejected under 35 U.S.C. 101 for the following reasons:
	Regarding Claims 2, 8, and 14, these claims merely add further description to the “token” recited in claims 1, 7, and 13. Merely stating that the token comprises letters and/or numbers does not integrate the abstract idea into a practical application, or amount to significantly more than the abstract idea, because it does not impose any meaningful limitations on practicing the abstract idea. 
Regarding Claims 3, 9, and 15, these claims merely add further description to the “credit card information” recited in claims 1, 7, and 13. Merely stating that the credit card information comprises the credit card security code does not integrate the abstract idea into a practical application, or amount to significantly more than the abstract idea, because it does not impose any meaningful limitations on practicing the abstract idea.
	Regarding Claims 4 and 16, merely stating that the system receives/transmits the credit card data via an API does not integrate the abstract idea into a practical application. Rather, these claims merely apply generic computing components (e.g. an API) in order to implement the abstract idea on a computer.
	Regarding Claims 5, 10, and 17, these claims merely add further description to the “token” recited in claims 1, 7, and 13. Merely stating that the token is valid for a set period of time does not integrate the abstract idea into a practical application, or amount to significantly more than the abstract idea, because it does not impose any meaningful limitations on practicing the abstract idea.
	Regarding Claim 11, this claim merely adds further description to the “token” recited in claims 1, 7, and 13. Merely stating that the token is created based on the credit card information does not integrate the abstract idea into a practical application, or amount to significantly more than the abstract idea, because it does not impose any meaningful limitations on practicing the abstract idea.
	Regarding Claim 12, this claim merely adds further description to the “first payment request” recited in claims 1, 7, and 13. Merely stating that the first payment request is an order received from the client does not integrate the abstract idea into a practical application, or amount to significantly more than the abstract idea, because it does not impose any meaningful limitations on practicing the abstract idea.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	Claims 1-3 5, 7-15, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Fisher (U.S. Pre-Grant Publication No. 20030126094) in view of Esfahani (U.S. Pre-Grant Publication No. 20020073345) and Subbarayan (U.S. Pre-Grant Publication No. 20180174138).

Regarding claim 1, Fisher teaches a credit card payment processing method comprising: at a client:
Receiving a login of a user into a personal account of the user (See at least Paragraphs 119 and 120: Describes a process for enrolling a user in a payment processing system using proxy account numbers. After a user is enrolled, they may complete an authentication process [e.g. entering a username and password, Paragraph 92] to access the Persistent Dynamic Payment Service [PDPS] portal on their personal computer),
Sending the credit card information to a payment server (See at least Paragraph 119: The PDPS extracts account information [e.g. an account number] from the payer during the enrolment process); and
At the payment server: receiving the credit card information from the client (See at least Paragraphs 92 and 119: The user provides a credit card/account number to the PDPS/payment processor [payment server] via a browser on their computer system),
Storing the credit card information (See at least Paragraph 119: The proxy account number and the cardholder's information is stored in a PDP database);
Generating a payment token representing the credit card information and storing the payment token (See at least Paragraph 119: The user is issued a proxy account number [token] which is associated with the user's actual account number. The proxy account number is stored in a database);
Storing a corresponding relationship between the credit card information and the payment token (See at least Paragraph 26: The PDPS includes a database which associates the proxy account number with the one or more valid account numbers);
Sending the payment token to the client for the client to submit a first payment request comprising the payment token to an application server (See at least Paragraphs 119 and 123: The user is issued the proxy account number and may use the proxy account number in place of their actual account number when making a purchase at a merchant website [application server]);
Receiving, from the application server, a second payment request including the payment token, wherein the second payment request is generated by the application server based on the first payment request, the application server does not receive the credit card information (See at least Paragraph 123 and 124: Once the merchant receives the proxy account number, the merchant forwards the proxy account number to the payment processor via their acquiring bank [second payment request]. The merchant does not receive the user's actual account information),
Locating the credit card information based on the payment token and the corresponding relationship between the credit card information and the payment token (See at least Paragraphs 124 and 125: The payment processor obtains the user's real account number from the PDPS using the proxy account number); and
Processing the second payment request based on the credit card information (See at least Paragraph 126: The payment processor then settles the transaction with the user's issuing bank using the user's real account number).

Fisher does not explicitly teach, but Esfahani, however, does teach:
Receiving a credit card security code of the user (See at least Paragraph 71: Describes a system for retrieving credit card information based on a code submitted by a user. The user may provide a sequence [security code] via an interface [client]), and
Obtaining credit card information from the personal account of the user according to the credit card security code, wherein the credit card information is pre-bound to the credit card security code (See at least Paragraph 77: The transaction processor may decrypt the sequence and transmit a one-time transaction number [card information] to the user which can be used to complete a transaction).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the application, to combine the teachings of Fisher and Esfahani in order to increase the security of electronic transactions by providing a means of carrying out transactions over an open electronic link, which does not require the user to reveal his credit card number over the link (Esfahani: Paragraph 7).

The combination of Fisher and Esfahani does not explicitly teach, but Subbarayan, however, does teach:
Wherein the payment server operates in a PCI (Payment Card Industry) region, and the application server does not operate in the PCI region (See at least Paragraphs 103-106: Describes a system which utilizes "payment gateways" to eliminate the need for merchants to store credit card information and deal with PCI compliance rules [see Paragraphs 3 and 4]. The payment gateway system [payment server] implements PCI standards. This allows the merchant system [application server] to forward a payment token without the need to receive/store the user's actual payment information [see Paragraphs 104-106 and Figure 3A]. Although not explicitly stated, the merchant system does not need to comply with PCI regulations [see Paragraphs 3, 4, and 38]. Instead, the payment gateway system provides these services for the merchant).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the application, to combine the teachings of Fisher, Esfahani, and Subbarayan in order to reduce the burden on merchants from PCI compliance rules, and other expensive/time-consuming systems and regulations associated with processing payment transactions (Subbarayan: Paragraphs 2-8)

Regarding claim 2, Fisher teaches:
Where the payment token comprises a combination of letters and/or numbers (See at least Paragraph 119: The proxy account number is composed of numbers).

Regarding claim 3, Fisher does not explicitly teach, but Esfahani, however, does teach:
Wherein the credit card information comprises the credit card security code (See at least Paragraphs 84 and 85: Successful verification of the sequence input by the user results in the one-time transaction number. Therefore, the credit card information is associated with the security code).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the application, to combine the teachings of Fisher and Esfahani in order to increase the 

Regarding claim 5, Fisher teaches:
Where the payment token has a valid period (See at least Paragraph 13: Describes existing systems which use "temporary pseudo card numbers" which are valid for a limited duration).

Regarding claim 7, Fisher teaches a credit card payment processing method comprising: at a client: 
Receiving a login of a user into a personal account of the user (See at least Paragraphs 119 and 120: Describes a process for enrolling a user in a payment processing system using proxy account numbers. After a user is enrolled, they may complete an authentication process [e.g. entering a username and password, Paragraph 92] to access the Persistent Dynamic Payment Service [PDPS] portal on their personal computer),
Sending a first payment request to an application server, the first payment request including a payment token representing the credit card information (See at least Paragraphs 119 and 123: The user is issued the proxy account number and may use the proxy account number [token] in place of their actual account number when making a purchase at a merchant website [application server]); and
At the application server: receiving a first payment request from the client (See at least Paragraph 123: The user initiates a payment request at a merchant website [application server] which includes the proxy account number [token]. The proxy account number represents the user's actual account information [Paragraph 119]),
Wherein the application server does not receive the credit card information (See at least Paragraph 123 and 124: The merchant receives the proxy account number. However, the merchant does not receive the user's actual account information); and
Sending a second payment request, the second payment request including the payment token to a payment server for the payment server to locate the credit card information based on the payment token and process the second payment request based on the credit card information (See at least Paragraphs 123-126: The payment request is then forwarded through the merchant's acquiring bank to the PDPS/payment processor [payment server]. The payment processor obtains the user's real account number from the PDPS using the proxy account number. The payment processor then settles the transaction with the user's issuing bank),
Wherein the credit card information, and a relationship between the credit card information and the payment token, are stored at the payment server (See at least Paragraph 26: The PDPS includes a database which stores and associates the proxy account number with the one or more valid account numbers), and
Wherein the payment server locates the credit card information based on the payment token and the relationship between the credit card information and the payment token (See at least Paragraphs 124 and 125: The payment processor obtains the user's real account number from the PDPS using the proxy account number).

Fisher does not explicitly teach, but Esfahani, however, does teach:
Receiving a credit card security code of the user (See at least Paragraph 71: Describes a system for retrieving credit card information based on a code submitted by a user. The user may provide a sequence [security code] via an interface [client]), and
Obtaining credit card information from the personal account of the user according to the credit card security code, wherein the credit card information is pre-bound to the credit card security code (See at least Paragraph 77: The transaction processor may decrypt the sequence and transmit a one-time transaction number [card information] to the user which can be used to complete a transaction).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the application, to combine the teachings of Fisher and Esfahani in order to increase the security of electronic transactions by providing a means of carrying out transactions over an open electronic link, which does not require the user to reveal his credit card number over the link (Esfahani: Paragraph 7).

The combination of Fisher and Esfahani does not explicitly teach, but Subbarayan, however, does teach:
Wherein the application server does not operate in a PCI (Payment Card Industry) region, and wherein the payment server operates in the PCI region (See at least Paragraphs 103-106: Describes a system which utilizes "payment gateways" to eliminate the need for merchants to store credit card information and deal with PCI compliance rules [see Paragraphs 3 and 4]. The payment gateway system [payment server] implements PCI standards. This allows the merchant system [application server] to forward a payment token without the need to receive/store the user's actual payment information [see Paragraphs 104-106 and Figure 3A]. Although not explicitly stated, the merchant system does not need to comply with PCI regulations [see Paragraphs 3, 4, and 38]. Instead, the payment gateway system provides these services for the merchant).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the application, to combine the teachings of Fisher and Subbarayan in order to reduce the 

Regarding claim 8, this claim is rejected under the same rationale as claim 2 described above.

Regarding claim 9, this claim is rejected under the same rationale as claim 3 described above.

Regarding claim 10, this claim is rejected under the same rationale as claim 5 described above.

Regarding claim 11, Fisher teaches:
Where the payment token is generated by the payment server based on the credit card information (See at least Paragraph 119: The proxy account number is generated in association with the user's actual account number).

Regarding claim 12, Fisher teaches:
Where the payment request is associated with an order received from the client (See at least Paragraph 122 and 123: The purchase is initiated based on merchandise picked out by the user in an online shop).

Regarding claim 13, Fisher teaches a credit card payment processing method applicable on a client, comprising:
Receiving a login of a user into a personal account of the user (See at least Paragraphs 119 and 120: Describes a process for enrolling a user in a payment processing system using proxy account numbers. After a user is enrolled, they may complete an authentication process [e.g. entering a 
Sending the credit card information to a payment server (See at least Paragraphs 92 and 119: The account number is sent to the PDPS/payment processor [payment server]),
Obtaining a payment token representing the credit card information from the payment server (See at least Paragraph 119: The user is issued a proxy account number [token] which is associated with the user's actual account number);
Submitting a first payment request to an application server, the first payment request including the payment token (See at least Paragraphs 119 and 123: The user may use the proxy account number in place of their actual account number when making a purchase at a merchant website [application server]),
Wherein, responsive to receiving the first payment request, the application server submits a second payment request to the payment server, the second payment request including the payment token for the payment server to locate the credit card information based on the payment token and process the second payment request based on the credit card information (See at least Paragraphs 123-126: The payment request, which includes the proxy account number, is then forwarded through the merchant's acquiring bank to the payment processor. The payment processor obtains the user's real account number from the PDPS using the proxy account number. The payment processor then settles the transaction with the user's issuing bank using the user's real account number),
Wherein the credit card information, and a relationship between the credit card information and the payment token, are stored at the payment server (See at least Paragraph 26: The PDPS includes a database which stores and associates the proxy account number with the one or more valid account numbers), and
Wherein the payment server locates the credit card information based on the payment token and the relationship between credit card information and payment token (See at least Paragraphs 124 and 125: The payment processor obtains the user's real account number from the PDPS using the proxy account number).

Fisher does not explicitly teach, but Esfahani, however, does teach:
Receiving a credit card security code of the user (See at least Paragraph 71: Describes a system for retrieving credit card information based on a code submitted by a user. The user may provide a sequence [security code] via an interface [client]), and
Obtaining credit card information from the personal account of the user according to the credit card security code, wherein the credit card information is pre-bound to the credit card security code (See at least Paragraph 77: The transaction processor may decrypt the sequence and transmit a one-time transaction number [card information] to the user which can be used to complete a transaction).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the application, to combine the teachings of Fisher and Esfahani in order to increase the security of electronic transactions by providing a means of carrying out transactions over an open electronic link, which does not require the user to reveal his credit card number over the link (Esfahani: Paragraph 7).

The combination of Fisher and Esfahani does not explicitly teach, but Subbarayan, however, does teach:
Wherein the payment server operates in a PCI (Payment Card Industry) region, and wherein the application server does not operate in the PCI region (See at least Paragraphs 103-106: Describes a system which utilizes "payment gateways" to eliminate the need for merchants to store credit card 
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the application, to combine the teachings of Fisher, Esfahani, and Subbarayan in order to reduce the burden on merchants from PCI compliance rules, and other expensive/time-consuming systems and regulations associated with processing payment transactions (Subbarayan: Paragraphs 2-8)

Regarding claim 14, this claim is rejected under the same rationale as claim 2 described above.

Regarding claim 15, this claim is rejected under the same rationale as claim 3 described above.

Regarding claim 17, this claim is rejected under the same rationale as claim 5 described above.


	
	Claims 4 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Fisher in view of Esfahani and Subbarayan, and in further view of McGuire (U.S. Patent No. 8763142).

	Regarding Claim 4, the combination of Fisher, Esfahani, and Subbarayan does not explicitly teach, but McGuire, however, does teach:
	Where the receiving credit card information from the client comprises: receiving the credit card information from the client via an API interface of the payment server (See at least Col. 9, Lines 3-24: 
	Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the application, to combine the teachings of Fisher, Esfahani, Subbarayan, and McGuire in order to increase the efficiency of the tokenization process by providing a more standardized and flexible means for collecting user data.

	Regarding Claim 16, the combination of Fisher, Esfahani, and Subbarayan does not explicitly teach, but McGuire, however, does teach:
	Where the sending the credit card information to a payment server comprises: sending the credit card information to the payment server via an API interface provided by the payment server to exchange for a payment token, and the obtaining a payment token representing the credit card information from the payment server comprises: obtaining, via the API interface, the payment token representing the credit card information from the payment server (See at least Col. 9, Lines 3-24: Describes using an API to send payment card numbers to a "tokenizer" and receive a token corresponding to the payment number).
	Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the application, to combine the teachings of Fisher, Esfahani, Subbarayan, and McGuire in order to increase the efficiency of the tokenization process by providing a more standardized and flexible means for collecting user data.




Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM D NEWLON whose telephone number is (571)272-4407.  The examiner can normally be reached on Mon - Fri 9:30 - 5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Namrata Boveja can be reached on (571) 272-8105.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/WILLIAM D NEWLON/Examiner, Art Unit 3696         

/EDWARD CHANG/Primary Examiner, Art Unit 3696