DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claim Rejections - 35 USC §101 Withdrawn
Regarding the rejection under 35 U.S.C. 101, the claims are eligible in light of the claim amendments and Applicant’s arguments.  Under Step 2A, Prong 2, the additional elements of the independent claims are doing more than just adding the words “apply it” with the abstract idea. A computer is not merely being used as a tool to perform the abstract idea. Rather, when viewing the additional elements as a combination, the claimed invention includes a "distributed architecture" that improves network security and network integration.  In addition, the Application Programming Interface ("API") element communicating and utilizing three different server groups to perform different functions of a network and commerce applications.  Thus, the combination of additional elements are not well understood, routine, and conventional.  For example, it is not well understood, routine, and conventional to have three 

Claim Rejections - 35 USC §112(b)
The following is a quotation of 35 U.S.C. 112(b):
(B) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention

Claims 2, 9 and 16 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.  The meaning of the claim limitations that include using a “payment token”, which is unclear because after interpreting the claim in view of the specification one of ordinary skill in the art would not understand where the payment token is from.  The applicant specifically amended the claim to make clear that the “charge request” no longer includes the payment token (in three places within the claim).  Previously, the claims made clear that “charge request” included the payment token.  As the token is used in the transaction process and all the involved components are now clearly stated, it is unclear where and how 
Claims 2-8, 10-15, and 17-21 are rejected by virtue of dependency on a rejected based claim. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 2, 5-9, 12-16, and 19-21 are rejected under AIA  35 U.S.C. 103 as being unpatentable over Beigi (20120110341) in view of Law (20120150748).
Regarding claim 2, Beigi discloses  
a method comprising: receiving, by one or more first server computing devices executing a network application, a client-side call from a computing device of a user of the network application to a graph application programming interface ("API") seeking payment information for a request comprising a user identification 
([0050] 2. The point of sale terminal (Cashier machine) discovers all the PDAs in ready mode. This discovery process may be done in one or more of many different possible methods, such as BlueTooth and IrDA discovery standards as well as the many wireless standards).

mapping, by the one or more first server computing devices executing the network application, the user identification of the request to a profile of the user of the network application
([0057]  In the communication, the cashier checks for the certificate key which has been linked with the transaction much in the same way that TLS and SSL work and check for the validity of the certificate. The cashier checks for the validity of the certificate of the customer through a network with the authorizing agency (much in the same way as a credit card purchase is checked today). The certificate may be revoked at any time, at which instance, the transaction will fail).
([0059] The authentication process may check for the validity of the subscriber ID with an authority. Note that the authenticity of the subscriber 

receiving, by one or more second server computing devices supporting a commerce application, a charge request from the computing device of the user 
([0070] FIG. 6 shows the validation process for the reference data. At the time of each transaction where authentication is necessary, this process of validation takes place. The data is retrieved from the persistent memory of the device and is decrypted to get the signed hash values of the different reference data. Then the original reference data is retrieved by the authentication application from the persistent memory of the device and is hashed in the same manner as it was done in the hashing step of the registration defined in Paragraph 43. These two sets of hash values are then compare as prescribed by FIG. 6 to see if they match. If they match, the multi-factor authentication process will begin, described, beginning in Paragraph 40 and shown in FIG. 11, FIG. 12, FIG. 13, and FIG. 14 depending on the scenario at hand. In this authentication process, as described, the subscriber ID, multiple biometrics, and multiple types of challenges are 

determining, by the one or more first server computing devices executing the network application, a payment token in response to the charge request, wherein the payment token references a full payment card number of a payment card stored in the profile of the user; and
(The examiner notes that the element of “payment token” is rejected for being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.  See 35 U.S.C. 112(b) Rejection above.  Given the lack of clarity, the examiner points to relevant prior art language that probably describes the claim – ([0065] Assuming that there is a certificate authority [Cooper et al., 2008],[van Tilborg and Jajodia, 2011] who is used to sign the references, we denote that authority by CA and the private and public keys of that authority, as defined by the X.509 standard [Cooper et al., 2008] for the Public Key Infrastructure (PKI) are denoted by the following two variables respectively, R.sub.CAPrivate key of the CA (4) See also FIG. 4 which shows the encryption and decryption of data.

Beigi does not disclose 
in response to determining the payment token, sending, by the one or more first server computing devices executing the network application, a payment charge request to one or more third server computing devices executing a payment gateway system associated with the commerce application, the payment charge request comprising encrypted details associated with the payment card, a charge amount, and an indication of authorization to submit charge requests on behalf of the commerce application.
Law teaches 
in response to determining the payment token, sending, by the one or more first server computing devices executing the network application, a payment charge request to one or more third server computing devices executing a payment gateway system associated with the commerce application, the payment charge request comprising encrypted details associated with the payment card, a charge amount, and an indication of authorization to submit charge requests on behalf of the commerce application 
([0077] FIG. 4 shows another example embodiment where the payment gateway 8 sends the payment ID, supplemental ID, request for supplemental verification, and request for authorization of payment to the supplemental server 22 (block 200). In return, the supplemental server 22 sends a verification result and an authorization result for payment back to the payment gateway 8 (block 202). The payment gateway 8 then transfers the payment ID and authorization result for payment, and optionally the verification result, to the payment server 20 (block 204))..
At the time of the filing, it would have been obvious to one ordinarily skilled in the art to have modified Beigi to include 
in response to determining the payment token, sending, by the one or more first server computing devices executing the network application, a payment charge request to one or more third server computing devices executing a payment gateway system associated with the commerce application, the payment charge request comprising encrypted details associated with the payment card, a charge amount, and an indication of authorization to submit charge requests on behalf of the commerce application based on the teaching of Law.  
The motivation being to implement a system with the verification being processed and sent to the payment server to increase security when the parties (user, card issuer, payment settlement system) may have to be separate entities.  See paragraphs 5-13.

Regarding claim 5, Beigi discloses  
receiving the client-side call to the graph API further seeking an indication that the user permits the commerce application to access the payment information; and identifying permissions for the user authorizing the commerce application to access the payment information
([0070] FIG. 6 shows the validation process for the reference data. At the time of each transaction where authentication is necessary, this process of validation takes place. The data is retrieved from the persistent memory of the device and is decrypted to get the signed hash values of the different reference data).
checks for the validity of the certificate of the customer through a network with the authorizing agency (much in the same way as a credit card purchase is checked today). The certificate may be revoked at any time, at which instance, the transaction will fail).
([0059] The authentication process may check for the validity of the subscriber ID with an authority. Note that the authenticity of the subscriber ID has been validated by the validation process (Paragraph 51) and should only be checked by some transaction authority for validity).

Regarding claim 6, the claimed elements are substantially similar the claimed elements in claim 5 and therefore rejected using the same analysis disclosed above.  

Regarding claim 7, Beigi discloses  
receiving, from the computing device, an indication of a user selection of the option to grant the commerce application access to the payment information; and sending the payment information for the user to the computing device to allow the commerce application to auto-fill one or more payment fields, wherein the payment information comprises a payment card label, an expiration date, a name, and a billing address  
([0098] 2. Send transaction list to the PDA for signing.  [0099] 3. Receive the signed transaction list and the ACC.sub.TA from the PDA. [0100] 4. Pass the signed transaction list and the ACC.sub.TA to the TA.)
([0092] 3. Receive the transaction and sign it using R.sub.PDA.sup.T which was stored on the PDA storage device 72 at the registration step). 

Regarding claim 8, Beigi discloses  
logging the user into the network application based on a login request from the computing device; and providing, for display within the computing device, a log of transactions for purchases by the user utilizing a plurality of commerce applications 
([0098] 2. Send transaction list to the PDA for signing.  [0099] 3. Receive the signed transaction list and the ACC.sub.TA from the PDA. [0100] 4. Pass the signed transaction list and the ACC.sub.TA to the TA.)

Regarding claim 9, the claimed elements are substantially similar the claimed elements in claim 2 and are rejected using the same analysis disclosed above.  

Regarding claim 12, the claimed elements are substantially similar the claimed elements in claim 5 and therefore rejected using the same analysis disclosed above.  

Regarding claim 13, the claimed elements are substantially similar the claimed elements in claim 6 and therefore rejected using the same analysis disclosed above.  

Regarding claim 14, the claimed elements are substantially similar the claimed elements in claim 7 and therefore rejected using the same analysis disclosed above.  

Regarding claim 15, Beigi discloses  
instructions that, when executed by the at least one processor, cause the computer system to: generate the payment token for the user stored in a non-transitory storage medium; and send the payment token to the computing device comprising the commerce application without the full payment card number 
(The examiner notes that the element of “payment token” is rejected for being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.  See 35 U.S.C. 112(b) Rejection above.  Since it does not expand or narrow the referenced claim 9, it is therefore rejected using the same analysis disclosed above in claim 9)

Regarding claim 16, Beigi discloses  
a system comprising: at least one processor; at least one non-transitory computer readable medium comprising instructions that, when executed by the at least one processor, cause the system to:
receive, by one or more first server computing devices executing a network application, a client-side call from a computing device of a user of the network application to a graph application programming interface ("API") seeking payment information for a request comprising a user identification; map, by the one or more first server computing devices executing the network application, the user identification of the request to a profile of the user of the network application; 
receive, by one or more second server computing devices supporting a commerce application, a charge request from the computing device of the user ; determine, by the one or more first server computing devices executing the network application, a payment token in response to the charge request, wherein the payment token references a full payment card number of a payment card stored in the profile of the user; and in response to determining the payment token, send, by the one or more first server computing devices executing the network application, a payment charge request to one or more third server computing devices executing a payment gateway system associated with the commerce application, the payment charge request comprising encrypted details associated with the payment card, a charge amount, and an indication of authorization to submit charge requests on behalf of the commerce application  
(in respect to the claimed elements within this paragraph, examiner notes that FIG. 1 (of Beigi) shows the various devices with processors used in the network security and commerce applications.  The remaining claimed 

Regarding claim 19, the claimed elements are substantially similar the claimed elements in claim 5 and therefore rejected using the same analysis disclosed above.  

Regarding claim 20, the claimed elements are substantially similar the claimed elements in claim 6 and therefore rejected using the same analysis disclosed above.  

Regarding claim 21, the claimed elements are substantially similar the claimed elements in claim 7 and therefore rejected using the same analysis disclosed above.  


Claims 3-4, 10, 11 and 17-18 are rejected under AIA  35 U.S.C. 103 as being unpatentable over Beigi and Law, as applied to claims 2, 5-9, 11-16, and 18-21 above, further in view of Yehoshua (8131594).
Regarding claim 3, Beigi discloses 
before receiving the client-side call to the graph API seeking the payment information: receiving, from the computing device, a facilitator engagement request comprising a user ID of the user and an identification of the commerce application
([0070] FIG. 6 shows the validation process for the reference data. At the time of each transaction where authentication is necessary, this process of validation takes place. The data is retrieved from the persistent memory of the device and is decrypted to get the signed hash values of the different reference data. Then the original reference data is retrieved by the authentication application from the persistent memory of the device and is hashed in the same manner as it was done in the hashing step of the registration defined in Paragraph 43. These two sets of hash values are then compare as prescribed by FIG. 6 to see if they match. If they match, the multi-factor authentication process will begin, described, beginning in 
Beigi does not disclose 
providing an engagement response to the computing device causing the computing device to present an option to complete a transaction utilizing the network application within a graphical user interface.
Yehoshua teaches 
providing an engagement response to the computing device causing the computing device to present an option to complete a transaction utilizing the network application within a graphical user interface 
(C14, L24 past purchasing score may be a numeric value indicative of a likelihood that the user will complete an online purchase based at least in part on the user's historical purchasing behavior).
At the time of the filing, it would have been obvious to one ordinarily skilled in the art to have modified Beigi to include 
providing an engagement response to the computing device causing the computing device to present an option to complete a transaction utilizing the network application within a graphical user interface based on the teaching of Yehoshua.  
The motivation being to increase probability of sales by analyzing users’ past purchasing history.  See C17, L18-35.

Regarding claim 4, the claimed elements are substantially similar the claimed elements in claim 3 and therefore rejected using the same analysis disclosed above.  

Regarding claim 10, the claimed elements are substantially similar the claimed elements in claim 3 and therefore rejected using the same analysis disclosed above.  

Regarding claim 11, the claimed elements are substantially similar the claimed elements in claim 4 and therefore rejected using the same analysis disclosed above.  

Regarding claim 17, the claimed elements are substantially similar the claimed elements in claim 3 and therefore rejected using the same analysis disclosed above.  

Regarding claim 18, the claimed elements are substantially similar the claimed elements in claim 4 and therefore rejected using the same analysis disclosed above).  


Response to Arguments
The applicant’s 35 USC 101 arguments are moot because rejections are withdrawn.  Please see above for explanation of the 35 USC 101 withdrawal.   Applicant's other arguments filed 12/7/20 have been fully considered but they are not persuasive. 
In response to applicant's argument that: 
“Yang, whether considered singly or in combination with the other cited references, fails to describe, teach, or suggest each limitation recited by independent claims 2, 9, and 16,”
Applicant’s arguments with respect to claims have been considered but are moot because the arguments do not apply to the new analysis in view of the additional references being used in the current rejection.

In response to applicant's argument that: 
“Accessing payment information stored on a smart chip of a payment card, as in Yang, is not the same as the above-cited limitations. In particular, at no point does Yang teach, "receiving... a client-side call from a computing device…,”
Applicant’s arguments with respect to claims have been considered but are moot because the arguments do not apply to the new analysis in view of the additional references being used in the current rejection.

In response to applicant's argument that: 
“Yang does not teach anything related to "one or more first server computing devices executing a network application," "one or more second server computing devices supporting a commerce application," and "one or more third server…,”
Applicant’s arguments with respect to claims have been considered but are moot because the arguments do not apply to the new analysis in view of the additional references being used in the current rejection.

In response to applicant's argument that: 
“Providing card information from a mobile device to a merchant's website to process a transaction, as in Doherty, is not the same as the previously cited limitations,”
Applicant’s arguments with respect to claims have been considered but are moot because the arguments do not apply to the new analysis in view of the additional references being used in the current rejection.

In response to applicant's argument that: 
“at no point does Doherty teach anything related to "one or more first server computing devices executing a network application," "one or more…,”
Applicant’s arguments with respect to claims have been considered but are moot because the arguments do not apply to the new analysis in view of the additional references being used in the current rejection.

In response to applicant's argument that: 
“because Doherty fails to overcome the deficiencies of Yang, the combination of cited prior art references also fails to teach the limitations of the claims,”
Applicant’s arguments with respect to claims have been considered but are moot because the arguments do not apply to the new analysis in view of the additional references being used in the current rejection.

In response to applicant's argument that: 
“these dependent claims are allowable over Yang, whether considered singly or in combination with the other cited references,”
Applicant’s arguments with respect to claims have been considered but are moot because the arguments do not apply to the new analysis in view of the additional references being used in the current rejection.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MARK GAW whose telephone number is (571)270-0268.  The examiner can normally be reached on Mon-Fri 8:30AM-5:00PM EST.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Sarah Monfeldt can be reached on 571 270-1833.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.  Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  
	
/MARK GAW/
Examiner, Art Unit 3692
/ELIZABETH H ROSEN/Primary Examiner, Art Unit 3692