DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
	Status of Claims
Due to communications filed 11/20/18, the following is a Non-final office action.  Due to a pre-amendment filed 4/19/19, claim 1 has been cancelled, and claim 2 has been amended.  Claims 2-21 are pending in this application and are rejected as follows.  
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 2, 4, 6, 8, 10, 11, 15, 16, 18, 20, 21 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Rubin (US 20020073045 A1), and further in view of Ammermann, (US 20050256802 A1).
As per claim 2, Rubin discloses:
 account information identifying the relevant credit card account. At step 502, the account information is utilized to retrieve the account number from a database of card holders. At step 503, the symmetric cryptographic key is generated from the account number…Alternatively, the symmetric key can be pre-generated and stored with the other account information in the card holder record in the database; [0021] shows that identifying information is “identifying information, ID, such as the card holder's name and billing address”); and
one or more hardware processors coupled to the non-transitory memory and configured to execute instructions to cause the system to perform operations comprising, (Claim 15. A processor readable medium containing executable program instructions for performing a method on a device);
receiving, presented on a user device associated with a user, a validation request for validating a combination of an account identifier and…a postal address provided by the user, ([0005], In accordance with another aspect of the invention, a card issuer receives the token and information identifying the account from a merchant requesting authorization for a transaction. The card issuer decrypts the token using a symmetric cryptographic key converted from the account number associated with the account with the card issuer. The card issuer can then verify information retrieved from the token and approve the transaction if the transaction satisfies any restrictions retrieved from the token);
validating the combination of the account identifier and the portion of the postal address by identifying a particular financial service account from the plurality of financial service accounts based on the account identifier and matching the…postal address with a particular postal address associated with the particular financial service account, ([0021], The intended user of a limited use token may be the card holder or another person, such as the user's child or a gift recipient. The user of the token is referred to herein as the "token user" or simply as the "user." With reference again to FIG. 1, the token is utilized by the token user at step 104. The token is communicated to the merchant 130 along with identifying information, ID, such as the card holder's name and billing address….The merchant 130 passes the token, T, and identifying information, ID, to the credit card issuer 140, who, at step 106, uses the identifying information to look up the card holder's account number. The card issuer can then use the account number (the derived key) to decrypt the token. The decrypted token is then checked for proper form and to ensure that the restrictions are met. At step 107, if the decryption is not proper, or if the restrictions are not met, the transaction is denied and a message to that effect returned to the merchant 130. If the decryption is proper and if the restrictions are met, then the merchant 130 is informed that the transaction is approved.);
in response to the validating, generating a token based on the combination of the account identifier and the…postal address, ([0020] FIG. 4 is a flowchart of the processing performed by a token-generating application running on the card holder's computing device 110, in accordance with a preferred embodiment of the invention. At step 401, the card holder inputs her credit card number into the device for authentication…If the card holder is authenticated, the application presents the user interface for the selection of token restrictions. At step 404, the card holder inputs the token restrictions. Once the card holder has chosen all of the restrictions, the application displays the properties of the chosen token at step 405 and asks the card holder to confirm that this is what is desired…If the card holder confirms the selection, the device commences the encryption process at step 406…resulting in the 16 digit encrypted token. At step 410, the encrypted token is displayed for the card holder, who can proceed to utilize it or provide it to another person for use in a credit card transaction. Or the card holder can presumably go back and modify the restrictions and create a different token or start over);  
transmitting the token to the merchant website, ([0021]The token is communicated to the merchant 130 along with identifying information, ID, such as the card holder's name and billing address; [0023] The present invention enables users to shop and transact at existing web merchant sites without exposing multiple-use credit card numbers, and without requiring changes to the web pages.);
in response to receiving the token appended to the redirect request, providing, on the user device, a user interface for completing a purchase transaction between the user and the merchant website using the particular financial service account based on the token, ([0021] With reference again to FIG. 1, the token is utilized by the token user at step 104. The token is communicated to the merchant 130 along with identifying information, ID, such as the card holder's name and billing address…At step 105, the merchant 130 seeks verification from the card issuer 140 before fulfilling the user's order. The merchant 130 passes the token, T, and identifying information, ID, to the credit card issuer 140, who, at step 106, uses the identifying information to look up the card holder's account number. The card issuer can then use the account number (the derived key) to decrypt the token. The decrypted token is then checked for proper form and to ensure that the restrictions are met…If the decryption is proper and if the restrictions are met, then the merchant 130 is informed that the transaction is approved. Assuming the transaction is approved, the merchant continues with the transaction, e.g. by fulfilling the order at step 108 in FIG. 1. )

Rubin does not discloses the following limitations:
Specifically, Rubin does not disclose a portion of a postal address.
However, Claim 57 of Ammermann discloses: wherein from the telecommunications terminal of the payer a connection is made to a first transaction server of a system operator or service provider, and a first payment-order data set, comprising at least information about the amount and the address of the payee, is transmitted to the first transaction server, the first payment-order data set is transmitted by the first transaction server to a second transaction server, which has been identified by reference to part of the payee's address information.
Specifically, Rubin does not disclose receiving, from a merchant website/receiving, from the merchant website, a redirect request that redirects the user from the merchant website to a payment service provider website, wherein the token is appended to the redirect request.
	
However, Ammermann discloses in  [0283] In redirection scenarios the routing engine makes available a redirection component that processes the instruction "Redirects"; as a result, the customer's browser is redirected from the merchant URL to its home-wallet URL by way of a CPP-URL and directly back to the merchant URL after the transaction has been concluded.

It would have been obvious to one of ordinary skill in the art at the time of the invention to include the above limitations as taught by Ammermann in the systems of Rubin, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

As per claim 4, Rubin does not disclose wherein the user interface is configured to limit the user to use the particular postal address as a shipping address for the purchase transaction.
However, Ammermann discloses in [0136] The wallet server (WS) communicates with buyer devices, e.g. by way of device-specific gateways such as WAP and SMS gateways, and stores buyer-related and transaction-related data such as MSISDN, billing and shipping addresses, and credit-card numbers. The wallet server makes available functionalities for customer assistance, and organizes the processing of payment protocols. The wallet server routes authentication inquiries to a micropayment instrument (.mu.PI). It would have been obvious to one of ordinary skill in the art at the time of the invention to include the above limitations as taught by Ammermann in the systems of Rubin, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

As per claim 6, Rubin discloses:
wherein the operations further comprise:
in response to receiving the redirect request, decrypting the token to obtain the portion of the postal address, wherein the user interface is provided to include the portion of the postal address, ([0022],At step 504, the token is decrypted using the symmetric key, and, at step 505, the restrictions are retrieved and/or parsed from the plaintext token. At step 506, the token is checked for proper form and any restrictions encoded therein are verified. For example, if the token is a multiple-use token, the server looks for it in a database of multiple use tokens, adds it if it is not already there, and accounts for the current use (e.g. subtracting the monetary amount or decrementing the transaction count).).

As per claim 7, Rubin discloses:
wherein the operations further comprise revoking the token based on a preset period of elapsed time from receiving the validation request. ([0016] the validity periods can be one hour, four hours, twelve hours, one day, three days, a week, a month, etc. For each type of restriction, all of the possible values are enumerated when the card holder selects the particular pull-down menu in FIG. 2. As shown in FIG. 2, the card holder has selected a monetary limit of $100 with a validity period of one week where the expense category is limited to "books" and where the token can only be utilized two times in the same store before expiring.)

As per claim 8, Rubin discloses:
wherein the operations further comprise:
processing the purchase transaction using a funding source associated with the particular financial service account; and transmitting a confirmation to the merchant website indicating that the purchase transaction is completed, ([0021], The decrypted token is then checked for proper form and to ensure that the restrictions are met. At step 107, if the decryption is not proper, or if the restrictions are not met, the transaction is denied and a message to that effect returned to the merchant 130.  If the decryption is proper and if the restrictions are met, then the merchant 130 is informed that the transaction is approved. Assuming the transaction is approved, the merchant continues with the transaction, e.g. by fulfilling the order at step 108 in FIG. 1.).

As per claim 10, this claim recites elements similar to those disclosed in independent claim 1, and is therefore rejected for the same reasons.

As per claim 11, Rubin does not disclose
wherein the portion comprises a zip code and an incomplete street name.
However, Claim 57 of Ammermann discloses: wherein from the telecommunications terminal of the payer a connection is made to a first transaction server of a system operator or service provider, and a first payment-order data set, comprising at least information about the amount and the address of the payee, is transmitted to the first transaction server, the first payment-order data set is transmitted by the first transaction server to a second transaction server, which has been identified by reference to part of the payee's address information.
It would have been obvious to one of ordinary skill in the art at the time of the invention to include the above limitations as taught by Ammermann in the systems of Rubin, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

As per claim 15, Rubin et al discloses:
wherein the account identifier comprises at least one of an electronic mail address, a phone number, or a name associated with the user, ([0021] The intended user of a limited use token may be the card holder or another person, such as the user's child or a gift recipient. The user of the token is referred to herein as the "token user" or simply as the "user." With reference again to FIG. 1, the token is utilized by the token user at step 104. The token is communicated to the merchant 130 along with identifying information, ID, such as the card holder's name and billing address).

As per claim 16, this claim recites limitations similar to those disclosed in independent claim 1, and is therefore rejected for similar reasons.

As per claim 18, Rubin does not disclose:
wherein the user interface is configured to limit the user to use the particular postal address as a shipping address for the purchase transaction.
However, Ammermann discloses in [0136] The wallet server (WS) communicates with buyer devices, e.g. by way of device-specific gateways such as WAP and SMS gateways, and stores buyer-related and transaction-related data such as MSISDN, billing and shipping addresses, and credit-card numbers. The wallet server makes available functionalities for customer assistance, and organizes the processing of payment protocols. The wallet server routes authentication inquiries to a micropayment instrument (.mu.PI). It would have been obvious to one of ordinary skill in the art at the time of the invention to include the above limitations as taught by Ammermann in the systems of Rubin, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

As per claim 20, Rubin discloses:
in response to receiving the redirect request, decrypting the token to obtain the portion of the postal address, wherein the user interface is provided to include the portion of the postal address.
([0022], At step 504, the token is decrypted using the symmetric key, and, at step 505, the restrictions are retrieved and/or parsed from the plaintext token. At step 506, the token is checked for proper form and any restrictions encoded therein are verified. For example, if the token is a multiple-use token, the server looks for it in a database of multiple use tokens, adds it if it is not already there, and accounts for the current use (e.g. subtracting the monetary amount or decrementing the transaction count).).

As per claim 21, Rubin discloses:
wherein the operations further comprise revoking the token based on a preset period of elapsed time from receiving the validation request, ([0016] the validity periods can be one hour, four hours, twelve hours, one day, three days, a week, a month, etc. For each type of restriction, all of the possible values are enumerated when the card holder selects the particular pull-down menu in FIG. 2. As shown in FIG. 2, the card holder has selected a monetary limit of $100 with a validity period of one week where the expense category is limited to "books" and where the token can only be utilized two times in the same store before expiring.)

Claims 3, 5, 12, 13, 14, 17, 19 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Rubin (US 20020073045 A1), and further in view of Ammermann, (US 20050256802 A1), and further in view of Hazel (US 20080040284 A1).
As per claim 3, Rubin does not disclose wherein the user interface is configured to enable the user to select, from a plurality of funding sources associated with the particular financial service account, a particular funding source for use in the purchase transaction.  However, Hazel discloses in ([0108] As another example, in one embodiment, encryption module leaves the first digit of the bank identification number in clear text for recognition by the terminal as representing a valid range. As these examples illustrate, the invention can be implemented so as to select any or all of the token data fields to be encrypted (or portions thereof) as may be desired or required for a given application. Although the term bank identification number or BIN is sometimes used in this document, this term can refer to the traditional BIN used on bank cards, or more generally to any routing character, string or other information used to identify the source of the token or to route transactions. Likewise, the term bank cards can be used to refer to tokens such as, for example, credit cards, debit cards, loyalty cards, payment cards and the like, whether issued by a bank or other entity (for example, American Express, MasterCard, VISA, etc.) or institution, and whether in the form of a magnetic stripe card or otherwise.)
It would have been obvious to one of ordinary skill in the art at the time of the invention to include the above limitations as taught by Hazel in the systems of Rubin, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

As per claim 5, Rubin discloses an encrypted token in [0020]: At step 408, the symmetric key is generated from the account number. At step 409, the symmetric key is utilized to encrypt the plaintext token, resulting in the 16 digit encrypted token. At step 410, the encrypted token is displayed for the card holder, who can proceed to utilize it or provide it to another person for use in a credit card transaction."
However, Rubin et al does not specifically disclose:
wherein the token is generated as an encrypted string based on the account identifier and the portion of the postal address, Rubin does not disclose and encrypted string.  
However, Hazel discloses in ([0111] The terminal can then handle the transaction as a conventional transaction (for example, unencrypted transaction). In one embodiment, the terminal can check the check data (for example, with parity, LRC and a mod 10 check), which should be correct as it was regenerated by the encryption module using the inserted encrypted string. If the token fails, a bad read status can be output.)
It would have been obvious to one of ordinary skill in the art at the time of the invention to include the above limitations as taught by Hazel in the systems of Rubin, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

As per claim 12, Rubin does not disclose, wherein the purchase transaction is processed based on a funding source of the particular financial service account.
However, Hazel discloses in ([0108] As another example, in one embodiment, encryption module leaves the first digit of the bank identification number in clear text for recognition by the terminal as representing a valid range. As these examples illustrate, the invention can be implemented so as to select any or all of the token data fields to be encrypted (or portions thereof) as may be desired or required for a given application. Although the term bank identification number or BIN is sometimes used in this document, this term can refer to the traditional BIN used on bank cards, or more generally to any routing character, string or other information used to identify the source of the token or to route transactions. Likewise, the term bank cards can be used to refer to tokens such as, for example, credit cards, debit cards, loyalty cards, payment cards and the like, whether issued by a bank or other entity (for example, American Express, MasterCard, VISA, etc.) or institution, and whether in the form of a magnetic stripe card or otherwise.)
It would have been obvious to one of ordinary skill in the art at the time of the invention to include the above limitations as taught by Hazel in the systems of Rubin, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

As per claim 13, Rubin does not disclose, further comprising defining at least one of a condition or an event for which the token may be used for authenticating the user in subsequent purchase transactions.

However, Hazel discloses in [0017] In yet another embodiment, features and functionality can be provided to assist detecting duplicate transactions. For example, transactions can be hashed to generate unique hash codes used to verify that subsequent transactions are not replays of an earlier transaction. Additionally, sequence numbers, signature detection and other techniques can be used to verify the authenticity of a token and a given transaction; [0093] In some instances, the approval may also constitute the final settlement of the transaction resulting in the appropriate funds being transferred to consummate the transaction. In other embodiments, however, the authorization may simply be an authorization only and actual account settlement can take place in a subsequent transaction. For example, authorization may verify the validity of certain information such as the account number, expiration date, customer name, and credit limit to determine whether to approve the transaction. Settlement may be accomplished when a series of one or more approved transactions are sent to the appropriate institution(s) for transfer of the funds or other account settlement.

It would have been obvious to one of ordinary skill in the art at the time of the invention to include the above limitations as taught by Hazel in the systems of Rubin, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

As per claim 14, Rubin et al does not disclose wherein the condition is time-dependent.
However, Hazel discloses in ([0093] see “expiration date”).
It would have been obvious to one of ordinary skill in the art at the time of the invention to include the above limitations as taught by Hazel in the systems of Rubin, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

As per claim 17, Rubin does not disclose wherein the user interface is configured to enable the user to select, from a plurality of funding sources associated with the particular financial service account, a particular funding source for use in the purchase transaction.
.  However, Hazel discloses in ([0108] As another example, in one embodiment, encryption module leaves the first digit of the bank identification number in clear text for recognition by the terminal as representing a valid range. As these examples illustrate, the invention can be implemented so as to select any or all of the token data fields to be encrypted (or portions thereof) as may be desired or required for a given application. Although the term bank identification number or BIN is sometimes used in this document, this term can refer to the traditional BIN used on bank cards, or more generally to any routing character, string or other information used to identify the source of the token or to route transactions. Likewise, the term bank cards can be used to refer to tokens such as, for example, credit cards, debit cards, loyalty cards, payment cards and the like, whether issued by a bank or other entity (for example, American Express, MasterCard, VISA, etc.) or institution, and whether in the form of a magnetic stripe card or otherwise.)
It would have been obvious to one of ordinary skill in the art at the time of the invention to include the above limitations as taught by Hazel in the systems of Rubin, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

As per claim 19, Rubin discloses an encrypted token in [0020]: At step 408, the symmetric key is generated from the account number. At step 409, the symmetric key is utilized to encrypt the plaintext token, resulting in the 16 digit encrypted token. At step 410, the encrypted token is displayed for the card holder, who can proceed to utilize it or provide it to another person for use in a credit card transaction."
However, Rubin et al does not specifically disclose:
wherein the token is generated as an encrypted string based on the account identifier and the portion of the postal address, Rubin does not disclose and encrypted string.  
However, Hazel discloses in ([0111] The terminal can then handle the transaction as a conventional transaction (for example, unencrypted transaction). In one embodiment, the terminal can check the check data (for example, with parity, LRC and a mod 10 check), which should be correct as it was regenerated by the encryption module using the inserted encrypted string. If the token fails, a bad read status can be output.)
It would have been obvious to one of ordinary skill in the art at the time of the invention to include the above limitations as taught by Hazel in the systems of Rubin, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

Claims 9 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Rubin (US 20020073045 A1), and further in view of Ammermann, (US 20050256802 A1), and further in view of Ling (US 20080040284 A1).

As per claim 9, Rubin does not disclose:
receiving, from a second merchant website, a second redirect request comprising the token, wherein the second direct request is associated with a second purchase transaction between the user and the second merchant website; and in response to receiving the second redirect request, providing, on the user device, a second user interface for completing the second purchase transaction between the user and the second merchant website using the particular financial service account based on the token.

However, Ling discloses in [0164] A further embodiment of the present invention called an open system is now described. In an open token system, a user who registered with a vendor web site is allowed to purchase products or services from other vendors who also accept the electronic tokens. The Mall Services Provider (MSP) authorizes electronic tokens to a first web site vendor. The first web site vendor may issue Type-A tokens to customers to use in electronic transactions through its web site. The customer may wish to purchase items sold through a second vendor that accepts its own Type-B electronic tokens, but does not accept the first vendor's Type-A tokens. In one type of an open token system, customers who received Type-A Tokens from the first vendor can purchase products and services from the second vendor's web site by exchanging Type-A tokens for the second vendor's Type-B tokens. Thus, the customer does not have to obtain tokens issued by the second vendor. A user is not required to repeatedly register at every Web Site where he wishes to make purchases, provided that the second web site accepts tokens type-A from the first web site. The transfer of tokens between one vendor to the other and settlement of money associated with transferring of tokens between Malls are performed by the MSP.
It would have been obvious to one of ordinary skill in the art at the time of the invention to include the above limitations as taught by Ling in the systems of Rubin, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

	Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Akiba Robinson whose telephone number is 571-272-6734. The examiner can normally be reached on Monday-Friday 9am-5:30pm.
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner's supervisor, Kevin Flynn can be reached on 571-270-3108. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system, Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (I N USA OR CANADA) or 571-272-1000.
Any inquiry of a general nature or relating to the status of this application or proceeding should be directed to the receptionist whose telephone number is (703) 305-3900.
April 22, 2021
/AKIBA K ROBINSON/Primary Examiner, Art Unit 3628