Status of Claims
Claims 1, 8, and 15 have been amended.
Claims 18 and 20 have been canceled.
Claim 22 has been newly added.
Claims 1-7, 19, and 21-22 are currently pending and have been considered by the examiner.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 22 August 2020 has been entered.

Response to Arguments
101 Rejection:
	As discussed during the interview on 21 July 2020, the present claims, while reciting the abstract idea of risk mitigation, successfully place the recited abstract idea into practical application. Specifically, the present claims recite the process of performing risk mitigation using device data and merchant data collected specifically using device data associated with a client device comprising user device history. The use of specific device associated with a user device history provides additional security benefit outside the bounds of simply applying the process of 

103 Rejection:
	Applicant’s arguments have been considered and are moot in view of new grounds of rejection.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-4, 6-11, and 13-18, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Dill et al. (US 20150032625 A1 in view of Snyder et al. (US 20120130898 A1), in further view of Aquino et al. (US 20160104163 A1), Guglani (US 20180268403), and Cohn et al. (US 20170200150 A1).

In regards to Claims 1, 8, and 15, discloses:
A computer based system/article of manufacture capable of performing a method comprising: receiving, by a payment network, a payment payload request for a payment transaction from a token request system (See Dill: Para. [0088] – “The token requester interface may be used by the token requester to interact with the network token system. , 
wherein the payment payload request includes a token and a transaction amount of the payment transaction (See Dill: Para. [0088] – “The network token system 202 may generate and return a plurality of tokens, where each token is associated with an account identifier”, See Dill: Para. [0088] – “In some embodiments, the token request may further include one or more of … a purchase amount, etc”), 
wherein the token serves as a reference identifier for a transaction account for the payment transaction (See Dill: Para. [0088] – “the network system may generate and return a plurality of tokens, where each token is associated with an account identifier”), 
and the payment payload request is received on behalf of a client device (See Dill: Fig. 2 – Token Requestor 120 is a consumer 110 controlled device);
the payment payload is provided to the token request system by the payment network (See Dill: Para. [0158-0159] – “In step 3C, the issuer computer 170 may perform the zero dollar authorization and may send a response message to the payment processing network computer 160 to approve or decline authorization of the user … In step 3D, the payment processing network computer 160 may forward the response message to the token registry 202A.” – a payment payload in the form of an approved transaction authorization is provided to the token request system);
receiving, by the payment network, device data associated with the client device from the token request system (See Dill: Para. [0088] – “In some embodiments, the token requestor 204 may optionally provide one or more token attributes with the request such as … a mobile application identifier”); 
performing, by the payment network, a first risk assessment on the payment payload request (See Dill: Para. [0150-0151] – “In step 1A, when the token requestor 204 sends the token request 402 … In step 1B, the payment processing network computer 160 may perform the CVV2 check and send a response message to the token registry 202A to approve or decline authorization of the user”), 
generating, by the payment network, a payment payload for the payment transaction in response to a risk assessment score associated with the first risk assessment meeting a threshold (See Dill: Para. [0151] – “When the token processing server computer 202B generates the token, the token processing server computer 202B may realize that the user has been authenticated using a CVV2 check by the payment processing network computer 160 and may determine a token assurance level accordingly” – Dill discloses  a payment network capable of generating a specific token with an associated token assurance level based on whether or not the request meets the threshold of having a successful CVV2 check), 
a cryptogram received from the merchant system (See Dill: Fig 5 – Step 502B – transmission between merchant computer and acquirer computer wherein the acquirer computer receives a chip cryptogram)
receiving, by the payment network, a request for authorization of the payment transaction from a merchant system (See Dill: Para. [0175] – “In step 502B, the merchant computer 502B may generate an authorization request message with the captured data and provide it to the acquirer computer 150.”, See Dill: Fig. 5 Steps 502B and 502C), 

Dill fails to explicitly disclose:
wherein performing the first risk assessment is based at least in part on the device data associated with the client device and merchant data associated with the payment transaction, and the device data comprises a user device history associated with the transaction account; 
wherein the payment payload comprises a first cryptogram generated by the payment network and the payment payload is provided to the token request system by the payment network; 
wherein the request comprises the payment payload and the merchant system receives the payment payload from the token request system; and 
authorizing, by the payment network, the payment transaction for the merchant system based at least in part on a second risk assessment of the payment payload, wherein the second risk assessment comprises comparing the first cryptogram generated by the payment network and a second cryptogram received from the merchant system.

However, in a similar field of endeavor, Snyder discloses:
wherein performing the first risk assessment is based at least in part on the device data associated with the client device, and the device data comprises a user device history associated with the transaction account (See Snyder: Para. [0088] - “This enables the Wireless Network Data Logic Resources 108 shown in FIG. 1 to provide identity risk values indicating a likelihood of identity theft or financial fraud for a particular financial transaction associated with an Account Number 202 associated with a Wireless Device ID (e.g. MDN) 204 as shown in FIG. 2. The Supplemental Data 304 is comprised of ;

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to substitute the risk assessment technique leveraging user device data disclosed in Snyder for the risk assessment method disclosed in Dill by performing the risk assessment technique of Snyder using the combination of the collected user device data of Snyder and the merchant data present in the token of Dill in order to 

However, the combination of Dill and Snyder fails to explicitly disclose:
wherein the payment payload comprises a first cryptogram generated by the payment network and the payment payload is provided to the token request system by the payment network; 
wherein the request comprises the payment payload and the merchant system receives the payment payload from the token request system; and 
authorizing, by the payment network, the payment transaction for the merchant system based at least in part on a second risk assessment of the payment payload, wherein the second risk assessment comprises comparing the first cryptogram generated by the payment network and a second cryptogram received from the merchant system.

However, in a similar field of endeavor, Aquino discloses:
authorizing, by the payment network, the payment transaction for the merchant system based at least in part on a second risk assessment of the payment payload (See Aquino: Para. [0126] – “If, based on the comparison at step 508, risk assessment model 48 determines at step 510 that the risk assessment indicator meets the first risk assessment threshold, and therefore in this example that the transaction is not a NON-RISK transaction, then at step 514 risk assessment model 48 compares the risk assessment indicator to the second risk assessment threshold. For example, the generated risk assessment indicator may be a numeric value (e.g., a score) that is  

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to substitute the authorization verification process disclosed by the combination of Dill and Snyder for the second risk assessment method disclosed by Aquino in order to increase the overall security of the system be leveraging multiple risk assessments.

However, the combination of Dill, Snyder, and Aquino fails to explicitly disclose:
wherein the payment payload comprises a first cryptogram generated by the payment network
wherein the request comprises the payment payload and the merchant system receives the payment payload from the token request system;
wherein the second risk assessment comprises comparing the first cryptogram generated by the payment network and a second cryptogram received from the merchant system.

However, in a similar field of endeavor, Guglani discloses:
A cryptogram generated by a payment network (See Guglani: para. [0034] – “In some embodiments, using the unique code included in the authorization request message and the encryption algorithm, the payment processing network can generate a cryptogram.”)
A risk assessment comprising comparing a first cryptogram generated by the payment network and a second cryptogram (See Guglani: Para. [0034] – “The cryptogram may then be compared to the cryptogram generated by the mobile device and included in the authorization request message.”).

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to apply the known technique of separate cryptogram generation and subsequent comparison for the purposes of risk assessment as disclosed by the system of Guglani to the known risk assessment and authorization process disclosed by the combination of Dill, Snyder, and Aquino in order to increase the overall security of the system by leveraging more data sets and risk mitigation techniques within the overall system.

However, the combination of Dill, Snyder, Aquino, and Guglani fails to explicitly disclose:
wherein the request comprises the payment payload and the merchant system receives the payment payload from the token request system;

However, in a similar field of endeavor, Cohn discloses:
wherein the request comprises a payment payload (See Cohn: Para. [0016] – “Once the consumer finalizes the purchase event, the merchant server 20 can submit an authorization request 34 to the acquirer processor server 30 that includes the low value  and 
the merchant system receives a payment payload from the token request system (See Cohn: Para. [0016] – “Upon receiving the authorization response 40, the acquirer processor server 30 can detokenize the low value token 32 received from the merchant server 20 and can convert the detokenized low value token into a high value token. The high value token and an authorization response 42 (indicating the authorization response from the payment networks 38) can be transmitted to the merchant server 20”);

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to substitute the authorization request and response system structure disclosed by Cohn for the authorization system structure disclosed in the system of the combination of Dill, Snyder, Aquino, and Guglani in order to increase the efficacy of the invention by utilizing a more streamlined authorization communication pathway requiring less overall transmission steps. 
 
In regards to Claims 2, 9, and 16, the combination of Dill, Snyder, Aquino, Guglani, and Cohn discloses:
The method of claim 1, wherein the request for the payment payload request comprises an application programming interface (API) call (See Dill: Para. [0035] – “the token requester can request the issuance of a token via API messaging of a batch request”).

In regards to Claim 3, 10, and 17, the combination of Dill, Snyder, Aquino, Guglani, and Cohn discloses:
The method of claim 2, wherein the API call comprises at least one of the token, a token expiry,  an account transaction counter (ATC), an unpredictable number (UN), or a card verification result (CVR) (See Dill: Para. [0088] – “the token requester may optionally provide one or more token attributes with the request such as … a token expiration date, etc”).

In regards to Claims 4 and 11, the combination of Dill, Snyder, Aquino, Guglani, and Cohn discloses:
The method of claim 3, wherein the payment payload is generated in response to the API call, wherein the payment payload comprises at least one of the token, the token expiry, the ATC, the UN, or the CVR (See Dill: Para. [0044] – “token attributes may include a type of token, frequency of use, token expiration date and/or expiration time … and any additional information that may be relevant to any entity within a transaction processing system”).

In regards to Claims 6 and 13, the combination of Dill, Snyder, Aquino, Guglani, and Cohn discloses:
The method of claim 5, wherein the response payload comprises at least one of encrypted account data, a terms and conditions URL, or a globally unique identifier (See Dill: Para. [0044] – “token attributes may include a wallet identifier associated with the token, an additional account alias or other user account identifier”).

In regards to Claims 7 and 14 the combination of Dill, Snyder, Aquino, Guglani, and Cohn discloses:
The method of claim 1, further comprising securing, by the payment network, the payment payload for transmission using encryption (See Dill: Para. [0076] – “In some embodiments of the invention, communication amongst different entities of the system may be encrypted”).

In regards to Claim 22, the combination of Dill, Snyder, Aquino, Guglani, and Cohn discloses:
The article of claim 15, wherein the merchant data comprises a user transaction history associated with a merchant identifier (See Dill: Para. [0063] – “An authorization request message may also comprise "transaction information," such as any information associated with a current transaction, such as the transaction amount, merchant identifier, merchant location, etc., as well as any other information that may be utilized in determining whether to identify and/or authorize a transaction.”)

Claims 5, 12, 19, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Dill in view of Snyder in further view of Aquino, Guglani, Cohn and Laxminarayanan et al. (US 2016/0119296 A1).

In regards to Claims 5, 12, and 19, the combination of Dill, Snyder, Aquino, Guglani, and Cohn discloses:
The method of claim 1, further comprising: receiving, by the payment network, a tokenization request to tokenize the transaction account (See Dill: Para. [0036] – “In embodiments of the invention, token request messages may allow a token requester to request a token to thereby tokenize a PAN”); 
And transmitting, by the payment network, a response payload in response to the tokenization request (See Dill: Para. [0088] – “the network token system 202 may generate and return a plurality of tokens”).

the combination of Dill, Snyder, Aquino, Guglani, and Cohn does not explicitly disclose:
verifying, by the payment network, the transaction account is eligible for tokenization;

However, in a similar field of endeavor, Laxminarayanan teaches:
verifying, by the payment network, the transaction account is eligible for tokenization (See: Laxminarayanan: Para [0076] – “the token server computer may use this information to determine whether an account identified by an account identifier is eligible for tokenization when a token provisioning request is received”);

Therefore, it would have been obvious to one of ordinary skill in the art at the time of effective filing date to use the tokenization eligibility method by Laxminarayanan et al. to facilitate the tokenization of data as disclosed by the combination of Dill, Snyder, Aquino, Guglani, and Cohn in order to prevent the system from assigning multiple tokens to a single account identifier (see Laxminarayanan: Para. [0074]).


In regards to Claim 21, the combination of Dill, Snyder, Aquino, Guglani, Cohn, and Laxminarayanan teaches:
The article of claim 15, further comprising: generating, by the processor, an encryption key in response to receiving an indication that the transaction account is eligible for tokenization; encrypting, by the processor, the token using the encryption key to generate an encrypted token; and returning, by the processor, the encrypted token to the token request system (See Laxminarayanan: Para. [0008] – “The method includes determining tokens based on the option associated with the encryption keys. A token associated with at least one encryption key is determined for each account identifier of the set of account identifiers. The method also includes storing the tokens and associated encryption keys for later use in token transaction processing.”).
 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS K PHAN whose telephone number is (571)272-6748.  The examiner can normally be reached on M-F 8 am-5 pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on 571-270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications 






/NICHOLAS K PHAN/Examiner, Art Unit 3685                                                                                                                                                                                                        
/JAY HUANG/Primary Examiner, Art Unit 3685