ANotice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the application 15/710300 filed on 12/29/2020; claims 1, 11, and 19 have been amended; and claims 1, 11, and 19 are independent claims.  Claims 1-20 have been examined and are pending.  This Action is made FINAL.
Response to Arguments
Applicants’ arguments in the instant Amendment, filed on 12/29/2020, with respect to limitations listed below, have been fully considered but they are not persuasive.
a. Applicants argue: McGuire, Garcia, Huba and Grady, alone or in any reasonable combination, fail to teach at least “a tokenization module executable using the one or more processors to generate a token representing the CHD and store the token and the decrypted CHD in the database in the hosted machine PCI environment, the token used to retrieve the stored decrypted CHD in a subsequent request” as recited in the amended claim 1 (Remark, pages 9-10, filed 12/29/2020).
The Examiner disagrees with the Applicants. The Examiner respectfully submits that McGuire and Garcia does disclose the aforementioned limitations as the following:
Mcguire teaches a tokenization module executable using the one or more processors to generate a token representing the CHD and store the token in the hosted (Mcguire: fig. 14, pars. 130, 0138-0139l the tokenizer 1420 generates a new random token corresponding to the payment card number and returns the token and stores the token and the encrypted payment card number in the database on the PCI hosted computer system).
Garcia discloses media storage and playback of encrypted content, wherein storing the decrypted content in the database (Garcia: par. 0026; storing decrypted content on database 217), the token used to retrieve the stored decrypted CHD in a subsequent request (Garcia: par. 0026; storing decrypted content on database 217, for example, until instructed to retrieve the decrypted content by a playback device). 
It is clear that the combination of McGuire and Garcia as a whole does teach the aforementioned limitations. 
b. Applicants argue: McGuire, Garcia, Huba, and Grady fail to disclose all of Applicant’s claim features, Applicant respectfully requests the reconsideration and allowance of claim 1. Claims 2-10 depend from independent claim 1 and are allowable at least by virtue of their dependency (Remark, page 10, filed 12/29/2020).
The Examiner respectfully disagrees with the Appellant. The Examiner respectfully submits that the dependent claims 2-10 are rejected at least based on the rationale and response presented to the argument for their respective base claims, and the reference applied to the claims 2-10.
c. Applicants argue: Independent claims 11 and 19 were rejected on the same basis as claim 1, have been similarly amended, and are, Applicant respectfully submits, (Remark, page 10, filed 12/29/2020). 
The Examiner respectfully disagrees with the Appellant. The Examiner respectfully submits that the independent claims 11 and 19, the Appellant submits that claims are similar arguments as to claim 1, and are patentable over the applied prior art.
d. Applicants argue: Claims 12-18 and 20 respectively depend upon claims 11 and 19 and are allowable at least by virtue of their respective dependencies. Accordingly, Applicant also respectfully requests the reconsideration and withdrawal of the 35 U.S.C. § 103 rejections of claims 12-18 and 20 (Remark, page 10, filed 12/29/2020).
The Examiner respectfully disagrees with the Appellant. The Examiner respectfully submits that the dependent claims 12-18 and 20 are rejected at least based on the rationale and response presented to the argument for their respective base claims, and the reference applied to the claims 12-18 and 20.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.
Claims 1-3, 5-6, 9-13, 15-16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over McGuire et al. (“McGuire,” US 2014/0366151, Pub. Date: Dec. 11, Garcia,” US 2012/0308005, Pub. Date: Dec. 6, 2012), further in view of Huba et al. (“Huba,” US 2013/0081130, Pub. Date: Mar. 28, 2013).
Regarding claim 1, Mcguire teaches a point to point encryption and tokenization system for a hosted machine payment card industry (PCI) environment implementing a data security standard (Mcguire: fig. 14, pars 012, 0048, 0063, 0125, 0152; a payment processing system from a payment card entry pad to a tokenized transaction application employing point-to-point encryption and tokenization where the payment card industry, PCI, applications are hosted on computer systems implementing DSS regular standards), the system comprising:
an internal computing system equipped with one or more processors and operatively coupled to a database in the hosted machine PCI environment (Mcguire: pars. 0054, 0063; a computer system comprising a processor retrieves tokens from a database in a hosted computer system), the internal computing system configured to receive encrypted card holder data (CHD) from an external computing system outside the hosted machine PCI environment (Mcguire: fig. 14; pars. 0129, 0154, The computer system comprising a tokenizer 1420 receives encrypted payment-card data from the desktop running input module 1440 via a LAN or WAN), the internal computing system including a plurality of processing zones, each processing zone holding at least one of a plurality of processing modules (Mcguire, par. 0048, the computer system comprising three zones for PCI purposes each zone comprises a module; par. 0048, Payment-processing system 100 is compliant with, e.g., the PCI DSS standards, which require that "in-scope" systems (i.e., systems falling within the scope of regulation of the PCI DSS standards) be isolated from the rest of the corporate network, e.g., via a firewall.  The DSS standards also require that public Internet-facing web servers be isolated as well.  Payment-processing system 100 therefore employs three "in-scope" network segments, or zones, for PCI purposes: (i) a web-server zone including web store 110, (ii) a customer-service zone including input module 140, and (iii) a PCI server zone including tokenizer 120 and payment-card middleware 130.  Achieving and maintaining PCI compliance using these three well-defined and limited network segments and their corresponding functionality can be considerably simpler and more manageable to implement than remediating or modifying large sections of a corporate network; See also par. 0107), the plurality of processing modules including:
a decryption module executable using the one or more processors to decrypt the CHD (Mcguire: pars. 0130, 0148, the computer comprising a tokenizer 1420 module that decrypts payment-card data), 
a tokenization module executable using the one or more processors to generate a token representing the CHD and store the token in the hosted machine PCI environment (Mcguire: fig. 14, pars. 130, 0138-0139; the tokenizer 1420 generates a new random token corresponding to the payment card number and returns the token and stores the token and the encrypted payment card number in the database on the PCI hosted computer system), and
an authorization module executable using the one or more processors to process the decrypted CHD in response to a request from the external computing system and transmit a confirmation of the processing of the CHD and the token representing the CHD to the external computing system in place of the decrypted CHD (Mcguire: figs. 14-15, pars. 0090, payment-card middleware processes the decrypted payment-card number and sending a tokenized and settlement response to an authorization request to an application module (i.e. second computer system)); and
a communication interface configured to enable communication with the external computing system (Mcguire: fig. 10, pars. 0048, 0105, 0154;, Payment-processing system 100 is compliant with, e.g., the PCI DSS standards, which require that "in-scope" systems (i.e., systems falling within the scope of regulation of the PCI DSS standards) be isolated from the rest of the corporate network, e.g., via a firewall.  The DSS standards also require that public Internet-facing web servers be isolated as well.  Payment-processing system 100 therefore employs three "in-scope" network segments, or zones, for PCI purposes: (i) a web-server zone including web store 110, (ii) a customer-service zone including input module 140, and (iii) a PCI server zone including tokenizer 120 and payment-card middleware 130.  Achieving and maintaining PCI compliance using these three well-defined and limited network segments and their corresponding functionality can be considerably simpler and more manageable to implement than remediating or modifying large sections of a corporate network; the zones are networked together by conventional network hardware and software with a LAN/WAN backbone and/or the Internet (communication interface configured to enable communication with the external computing system; the zones are implemented in a browser based system using a “same origin” policy; See also 0107).
Mcguire does not explicitly disclose storing the decrypted CHD in the database, the token used to retrieve the stored decrypted CHD in a subsequent request;
(Garcia: par. 0026; storing decrypted content on database 217), wherein the token used to retrieve the stored decrypted CHD in a subsequent request (Garcia: par. 0026; storing decrypted content on database 217, for example, until instructed to retrieve the decrypted content by a playback device).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Garcia with the method and system of Mcguire, wherein storing the decrypted CHD in the database to provide users with means for the method enables allowing the probe/playback device to send captured content to the decrypting device as the content is captured so as to reduce storage requirements at the probe/playback device.  The method enables allowing the decrypting device to archive the content and subsequently send the content to the probe/playback device such that the content can be displayed and the content distribution system can verify that the advertisement is correctly distributed according to scheduled information, so that an advertiser or end-user can be obligated to pay for a service, thus enhancing customer satisfaction and revenues to a content provider (Garcia: par. 0006).
Mcguire and Garcia do not explicitly at least two of the decryption module, tokenization module and authorization module being located in separate processing zones of the plurality of processing zones.
However, in an analogous art, Huba discloses methods, apparatus, and articles of manufacture to provide firewalls for process control systems, wherein at least two of the decryption module, tokenization module and authorization module are located in separate (Huba: par. 0023, …Typically, a firewall is physically or logically located at a point connecting the network to be protected or having a relatively high security level to another network having a relatively lower security level. Some systems or networks involve multiple levels of security and, thus, may include multiple firewalls and/or other security provisions. Typically, in these more complex systems or networks, the multiple levels of security may be considered different layers or zones of increasing security. As the security increases for each successive layer, zone or level, the restrictions associated with what entities may communicate with the next higher security layer, zone or level increase and, accordingly, the number of entities authorized to communicate typically decreases);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Huba with the method and system of Mcguire and Garcia, wherein at least two of the decryption module, tokenization module and authorization module are located in separate processing zones of the plurality of processing zones to provide users with means for the security of the communication network can be improved. The prevention of unauthorized access on communication network can be prevented effectively (Huba: par. 0023).
Regarding claim 2, the combination of Mcguire, Garcia, and Huba teaches the system of claim 1. Mcguire further teaches wherein a processing zone includes more than one processing module (Mcguire, par. 0048, the PCI server zone includes the tokenizer and payment care middleware (more than one processing module)).
Regarding claim 3, the combination of Mcguire, Garcia, Huba, and Grady teaches the system of claim 1. Mcguire further teaches wherein the authorization module (Mcguire: fig. 10,  par. 0088, a detokenized request (i.e. decrypted CHD) is sent for authorization and settlement to the payment-card middleware outside the hosted PCI computer system, and receives a response).
Regarding claim 5, the combination of Mcguire, Garcia, and Huba teaches the system of claim 1. Mcguire further teaches wherein the decryption module is a Hardware Security Module (HSM) (Mcguire: pars. 0127, 0130, 0148-0149, the tokenizer 1420 module that decrypts the payment-card data is a hardware /software add-on product).
Regarding claim 6, the combination of Mcguire, Garcia, Huba, and Grady teaches the system of claim 1. Mcguire further teaches wherein the hosted machine PCI environment and the external computing system are located in different geographic locations (Mcguire: par. 0156, the computing system are geographically distributed).
Regarding claim 9, the combination of Mcguire, Garcia, and Huba teaches the system of claim 1. Mcguire further teaches wherein the token is an alphanumeric string (Mcguire: pars. 0050, 0139; Token with a random-generated alphanumeric string value).
Regarding claim 10, the combination of Mcguire, Garcia, and Huba teaches the system of claim 1. Mcguire teaches wherein the computing system in the hosted machine PCI environment is configured to:
receive a second request from the external computing system to process the CHD, the second request accompanied by the token representing the CHD (Mcguire: figs. 14-15, par. 0090, payment-card middleware receives request  from the application module to process the decrypted payment-card number, the request is received using (i.e. accompanied) the supplied token of the payment-card number);
retrieve, with the tokenization module, the decrypted CHD from the database using the token (Mcguire:  par. 0090; retrieve, from payment the payment-card number from the database using the supplied token);
process the decrypted CHD using the authentication module based on the second request (Mcguire: fig. 10, par. 0090, process the decrypted payment-card number using the payment-card middleware based on the received request); and 
transmit a confirmation of the processing of the CHD based on the second request and the token representing the CHD to the external computing system (Mcguire: figures 14, 15, par. 0090, send a tokenized and settlement response to the authorization request to an application module).
Regarding claim 11, claim 11 is directed to a point to point encryption and tokenization method in a hosted machine payment card industry (PCI) environment implementing a data security standard associated with the method claimed in claim 1; claim 11 is similar in scope to claim 1, and is therefore rejected under similar rationale.
Regarding claim 12, claim 12 is similar in scope to claim 2, and is therefore rejected under similar rationale.
Regarding claim 13, claim 13 is similar in scope to claim 3, and is therefore rejected under similar rationale.
Regarding claim 15
Regarding claim 16, claim 16 is similar in scope to claim 6, and is therefore rejected under similar rationale.
Regarding claim 18, claim 18 is similar in scope to claim 10, and is therefore rejected under similar rationale.
Regarding claim 19, claim 19 is directed to a non-transitory computer readable memory medium storing instructions, wherein the instructions are executable by a processor associated with the method claimed in claim 1; claim 19 is similar in scope to claim 1, and is therefore rejected under similar rationale.
Regarding claim 20, claim 20 is similar in scope to claim 10, and is therefore rejected under similar rationale.
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over McGuire et al. (“McGuire,” US 2014/0366151, Pub. Date: Dec. 11, 2014) in view of Garcia (“Garcia,” US 2012/0308005, Pub. Date: Dec. 6, 2012), further in view of Huba et al. (“Huba,” US 2013/0081130, Pub. Date: Mar. 28, 2013), and Kausik (“Kausik,” US 6,895,391, DoP: May 17, 2005).
Regarding claim 7, the combination of Mcguire, Garcia, and Huba teaches the system of claim 1.  McGuire does not explicitly disclose wherein the CHD is encrypted using asymmetric encryption.
However, in an analogous art, Kausik disclose method and system for secure authenticated payment on a computer network, wherein the CHD is encrypted using asymmetric encryption (Kausik: Col. 4, lines 40-44; The encryption key used for encrypting the cardholder's payment particulars--called the domain key--is typically shared between the issuer proxy 110 and the bridge computer 130, and may be either a symmetric key or an asymmetric encryption key).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Kausik with the method and system of Mcguire, Garcia, and Huba wherein the CHD is encrypted using asymmetric encryption for benefit of a simple, secure and easy-to-deploy method and system for authenticating credit and/ or debit cardholders at a point-of-sale on a computer network (Kausik: Col. 1, line 66 to Col. 2, line 2).
Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over McGuire et al. (“McGuire,” US 2014/0366151, Pub. Date: Dec. 11, 2014) in view of Garcia (“Garcia,” US 2012/0308005, Pub. Date: Dec. 6, 2012), further in view of Huba et al. (“Huba,” US 2013/0081130, Pub. Date: Mar. 28, 2013), and Lawless (“Lawless,” US 2007/0168228, Pub. Date: Jul. 19, 2007).
Regarding claim 4, the combination of Mcguire, Garcia, and Huba teaches the system of claim 1. McGuire does not explicitly disclose wherein the processing modules further includes:
a web services module implemented as middleware in the internal computing system in the hosted machine PCI environment, the web services module using a representational state transfer (REST) architecture.
However, in an analogous art, Lawless discloses integrated prescription management and compliance system, wherein the processing modules further includes:
 (Lawless: pars. 0072, the web services uses REST  for exchanging messages).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Lawless with the method and system of Mcguire, Garcia, and Huba wherein the processing modules further includes: a web services module implemented as middleware in the internal computing system in the hosted machine PCI environment, the web services module using a representational state transfer (REST) architecture for benefit of using an industry standard architecture suited for web transactions.
Regarding claim 14, claim 14 is similar in scope to claim 4, and is therefore rejected under similar rationale.
Claims 8 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over McGuire et al. (“McGuire,” US 2014/0366151, Pub. Date: Dec. 11, 2014) in view of Garcia (“Garcia,” US 2012/0308005, Pub. Date: Dec. 6, 2012), further in view of Huba et al. (“Huba,” US 2013/0081130, Pub. Date: Mar. 28, 2013), and Agrawal et al. (“Agrawal,” US 2011/0296173, Pub. Date: Dec. 1, 2011).
Regarding claim 8, the combination of Mcguire, Garcia, and Huba discloses the system of claim 1. McGuire does not explicitly disclose wherein the plurality of processing modules further include:

However, in an analogous art, Agrawal discloses a method and apparatus for achieving nonconformant public key infrastructures, wherein the plurality of processing modules further include: a key management module configured to issue public keys and store security certificates (Agrawal: fig. 1, par. 0015, key management system distribute (i.e. issue) public key certificate 108, 109 that includes a public key and stored in the CA server).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Agrawal with the method and system of McGuire, Garcia, and Huba wherein the plurality of processing modules further include: a key management module configured to issue public keys and store security certificates to provide users with means for enabling the attribute certificate to modify the public key certificates such that the PKC can be made conformant to the rules of a standard or non-conformant PKI engine process with applicable rules or standard without encountering exceptions, so that need for manual configuration of a PKI engine is avoided (Agrawal: par. 0014).
Regarding claim 17, claim 17 is similar in scope to claim 8, and is therefore rejected under similar rationale.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on 

/Canh Le/
Examiner, Art Unit 2439

January 15th, 2021


/JAHANGIR KABIR/Primary Examiner, Art Unit 2439