DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 27 October 2020 has been entered.
Acknowledgements
This Office Action is in reply to Applicant’s response filed 27 October 2020.  
Claims 1–4, 6–14, 16–20, and 22–23 are currently pending and have been examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 U.S.C. § 103
The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1–4, 6–14, and 16–20 are rejected under 35 U.S.C. § 103 as being unpatentable over Gaddam et al. (US 2016/0028550 A1) (“Gaddam”), in view of Bondesen et al. (US 9,600,817 B2) (“Bondesen”).

	receiving, by a first server computer (fig. 1, 140 or 140/150), a first authorization request message from a resource provider computer in a first transaction, the first authorization request message comprising a first payment amount and a first subtoken including a first header and an obfuscated portion, wherein the first header routes the first subtoken to the first server computer, wherein the first subtoken is a substitute identifier for a primary token and has a same number of digits as the primary token, and wherein the primary token is a payment token ([0029]–[0030] [0035] [0055] [0059] [0078] [0087] [0091]);
using, by the first server computer, the obfuscated portion of the first subtoken to determine the primary token and data associated with the primary token, the primary token including a second header and a middle portion, wherein the second header is associated with an authorizing entity computer that holds an account of a user ([0060] [0103]; [0058]–[0059] [0061] [0009] [0033]; [0029]–[0030] [0035] [0055] [0059] [0078]); 
(i)    retrieving, by the first server computer, a credential associated with the primary token, wherein the credential is a primary account number of the account of the user, the credential including the second header and a center portion, wherein the center portion of the credential is different than the middle portion of the primary token, and authorizing, by the first server computer, the first transaction with the credential ([0056] [0058]–[0061] [0067] [0116]), or
(ii)    sending, by the first server computer, the primary token to the authorizing entity computer, wherein the authorizing entity computer retrieves the credential associated with the primary token, and authorizes the first transaction with the credential, wherein the credential is the primary account number for the account of the user, the credential including the second 
Gaddam does not expressly disclose after the first transaction is authorized, invalidating the first subtoken.
Bondesen teaches a token(s) as a single-use instrument that is utilized once, and thereafter disappears, is replaced, or is erased (4:43–49).
Therefore, it would have been obvious to a person having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify the first subtoken of Gaddam to be a single-use token that is invalidated after being used, as taught by Bondesen. One would have been motivated to do so because single-use tokens are less vulnerable to replay attacks.
Gaddam/Bondesen further teach:
receiving, by the first server computer, a second authorization request message in a second transaction, the second authorization request message comprising a second payment amount and a second subtoken, wherein the second subtoken is different than the first subtoken. is a substitute identifier for the primary token, and has the same number of digits as the primary token; determining the primary token using the second subtoken; (iii) retrieving, by the first server computer, the credential associated with the primary token, and authorizing, by the first server computer, the second transaction with the credential, or (iv) sending, by the first server computer, the primary token to the authorizing entity computer, wherein the authorizing entity computer retrieves the credential associated with the primary token, and authorizes the second transaction with the credential; and after the second transaction is authorized, invalidating the 
As per claim 2, Gaddam and Bondesen teach the method of claim 1, wherein the data associated with the primary token includes a limited use key, and wherein the method further comprises: generating, by the first server computer, a token validation cryptogram using the limited use key (Gaddam [0037] cryptogram requires generation using a key), and retrieving the credential using the primary token and the token validation cryptogram (Gaddam [0056] [0058]–[0061] [0067] [0116]).
As per claim 3, Gaddam and Bondesen teach the method of claim 1, wherein the resource provider computer extracted the first subtoken from a one-dimensional bar code (Gaddam [0054]).
As per claim 4, Gaddam and Bondesen teach the method of claim 3, wherein the first subtoken is received from the resource provider computer through a transport computer without a token validation cryptogram (Gaddam, figure 1).
As per claim 6, Gaddam and Bondesen teach the method of claim 1, further comprising: updating the first authorization request message by replacing the first subtoken with the credential (Gaddam, [0060] [0103]; [0058]–[0059] [0061] [0009] [0033]; [0029]–[0030] [0035] [0055] [0059] [0078]).
As per claim 7, Gaddam and Bondesen teach the method of claim 1, wherein using the obfuscated portion of the first subtoken comprises: locating the primary token and the data 
As per claim 8, Gaddam and Bondesen teach the method of claim 1, wherein the method comprises the (ii) sending, by the first server computer, the primary token to the authorizing entity computer (Gaddam, [0114] [0116] [0119]).
As per claim 9, Gaddam and Bondesen teach the method of claim 1, wherein the method comprises the (i) retrieving, by the first server computer, the credential associated with the primary token, and authorizing, by the first server computer, the first transaction with the credential (Gaddam, [0056] [0058]–[0061] [0067] [0116]).
As per claim 10, Gaddam and Bondesen teach the method of claim 1, wherein the first subtoken, the primary token, and the credential comprise a same check digit ([0029]).
Claims 11–14 and 16–20 contain language similar to claims 1–4 and 6–10 as discussed in the preceding paragraphs, and for reasons similar to those discussed above, claims 11–14 and 16–20 are also rejected under 35 U.S.C. § 103 as being unpatentable over the cited references.
Claim 22 is rejected under 35 U.S.C. § 103 as being unpatentable over Gaddam, in view of Bondesen, and in view of Hazel et al. (US 2009/0048953 A1) (“Hazel”).
As per claim 22, Gaddam and Bondesen teach the method of claim 1, but do not expressly teach wherein the center portion of the primary token is mathematically derived from the center portion of the primary account number.
Hazel teaches wherein a center portion of a primary token is mathematically derived from a center portion of a primary account number (e.g., fig. 21).
.
Claim 23 is rejected under 35 U.S.C. § 103 as being unpatentable over Gaddam, in view of Bondesen, and in view of Official Notice.
As per claim 23, Gaddam and Bondesen teach the method of claim 12, but do not expressly teach further comprising: changing, by the first server computer, the limited use key periodically so that token validation cryptograms generated by the first server computer periodically change.
However, the Examiner takes Official Notice that periodically changing a key is old and well-known in this art to minimize effect of a stolen key.
Therefore, it would have been obvious to a person having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Gaddam/Bondesen to change the key periodically so as to minimize effect of a stolen key as is known in the art.
Response to Arguments
Applicant’s arguments have been fully considered but are moot in view of the new grounds of rejection herein.
Conclusion
The following prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
Hurry et al. (US 2015/0235211 A1): The method includes generating an obfuscated portion using a dynamic cryptogram unique to a transaction, where the dynamic cryptogram is determined using a uniquely derived key. The method also includes replacing a middle portion of the account identifier with the obfuscated portion to form an obfuscated account identifier.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB C. COPPOLA whose telephone number is (571)270-3922. The examiner can normally be reached on Monday-Friday 8:00-6:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patrick McAtee can be reached on (571) 272-7575. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-
/JACOB C. COPPOLA/Primary Examiner, Art Unit 3685