PNG
    media_image1.png
    172
    172
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 14/320,535
Filing Date: 30 Jun 2014
Appellant(s): Slater et al.



__________________
Robert P. Lord
Registration No.: 46,479
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed July 13, 2021 (hereinafter “Brief”) appealing the non-final Action dated April 14, 2021.
(1) Grounds of Rejection to be Reviewed on Appeal
Every ground of rejection set forth in the Office action dated April 14, 2021 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.” 

WITHDRAWN REJECTIONS
The following grounds of rejection are not presented for review on appeal because they have been withdrawn by the examiner.  The rejections under 35 U.S.C. 112(a) of claims 1, 9 and 17.

NEW GROUNDS OF REJECTION
There are no new grounds of rejection.

The following ground(s) of rejection are applicable to the appealed claims.
Claims 26-28 are rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention.
Claims 26-28 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.	Claims 1, 3, 9, 11, 17, 19 and 26-28 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.

(2) Response to Argument
Appellant's arguments will be addressed in the order in which they appear in the Brief.
Appellant makes the following arguments in the Brief:
Regarding the 35 U.S.C. § 112(a) rejection on claim 26, Appellant argues that the specification directly and explicitly refutes the Examiner's assertion that the specification fails to describe the scenario where the card data token is deleted responsive to failure of the detokenize and erase request.  Brief pp. 17-19.
Regarding the 35 U.S.C. § 112(b) rejection on claim 26, Appellant argues that when read together, side-by-side, the ordinary artisan would understand that claim 26 further limits claim 1 by eliminating one of the two alternatives presented in claim 1.  Brief pp. 19-21.  Appellant concludes that claim 26 specifies that the card data token is deleted responsive only to failure of the detokenize and erase request (i.e., via use of the TTL value), and eliminates the alternative in claim 1 of success of the detokenize and erase request.  Id.
Regarding Step 2A, Prong 1 of the 35 U.S.C. § 101 rejection, Appellant argues that the following limitations are not abstract and enhance the generic PCI-DSS process of the claims:
wherein the PCI-DSS system comprises a payment processing system governed by the PCI-DSS, and wherein the PCI-DSS comprises a standardized security requirement for payment processing systems that perform at least one selected from a group consisting of storing, processing, and transmitting the card data, and
wherein generating the card data token includes adding a time to life (TTL) value to the card data token, the TTL value indicating a maximum amount of time the token service maintains the card data in storage before deleting the card data;
improving security of the card data by deleting the card data token responsive to at least one of the TTL value expiring or the detokenize and erase request.  Brief pp. 21-23.
Regarding Step 2A, Prong 1 of the 35 U.S.C. § 101 rejection, Appellant refers to Amdocs and argues that the claims and the specification are not abstract because the claimed invention is not directed to the transaction itself, rather, the claims and the specification are directed towards the technical details of how to improve a computer system to process electronic payments more securely, yet remain within existing technical standards.  Brief pp. 23-28.
Appellant submits that the prior Decision of August 24, 2020 incorrectly affirmed the prior rejection under 35 U.S.C. § 101.
Regarding Step 2A, Prong 1 of the 35 U.S.C. § 101 rejection, Appellant argues that improvements to programming can, under circumstances such as that described in Amdocs (Israel) Ltd., v. Openet Telecom, Inc., 841 F.3d 1288, 120 U.S.P.Q.2d 1527 (Fed. Cir. 2016), result in the improvement of a computer as a tool.  Brief pp. 29-30. 
Regarding Step 2A, Prong 2 of the 35 U.S.C. § 101 rejection, Appellant argues that “Even if the Board were to conclude that the above-argued claim limitations were abstract (a disputed point), the same claim limitations integrate any recited abstract idea into the practical application of improved security in computerized electronic transactions.”  Brief p. 30.
Regarding Step 2A, Prong 2 of the 35 U.S.C. § 101 rejection, Appellant argues that “Clearly the Examiner believes the combination of limitations are not well-understood, routine, or conventional in the field; otherwise, the Examiner would not have withdrawn the obviousness rejection.”  Brief p. 31.

Response to Argument A:  Regarding the 35 U.S.C. § 112(a) rejection on claim 26, Appellant argues that the specification directly and explicitly refutes the Examiner's assertion that the specification fails to describe the scenario where the card data token is deleted responsive to failure of the detokenize and erase request.  Brief pp. 17-19.  Examiner respectfully disagrees.  Appellant points to paragraph [0033] of the specification to support claim 26, however, the relevant portion of paragraph [0033] merely indicates that “the token may live at most an amount of time equal to the TTL value, so even if the explicit detokenize and erase operation fails, the token will be erased.”  Examiner contends this portion of the Specification is merely providing a reason why the TTL value is added to the token.  That is, even if the system does not receive a detokenization request, or if the detokenization request fails, the token will still be deleted based upon the expiration date set in the TTL.  Appellant’s disclosure indicates that the token is erased based on one of two possible scenarios.  See e.g.,  Specification [0036-0037].  First, the token is erased based on a request (i.e. a detokenize and erase operation), or second, the token is erased based on the TTL value in the token expiring.  Examiner contends that the disclosure fails to describe a third scenario where the token is erased in response to (i.e. based on) a failed detokenize and erase operation/request.  That is, there is no description describing a scenario where the token service attempts to detokenize and erase the token, fails the attempt, and in response to the failed attempt erases the token.  At best, the token service may wait until the TTL value expires and then erases the token.  In this scenario it is not the failed attempt that causes the erasing to occur, rather, it is the fact that TTL value expired.  Examiner further contends that there is a fundamental difference between erasing a token in response to an expired TTL and erasing a token in response to a failed request.
	Dependent claims 27 and 28 recite a substantially similar limitation to that found in claim 26, accordingly, the reasons and rational explained above with respect to claim 26 would also be applicable to claims 27 and 28.

Response to Argument B:  Regarding the 35 U.S.C. § 112(b) rejection on claim 26, Appellant argues that when read together, side-by-side, the ordinary artisan would understand that claim 26 further limits claim 1 by eliminating one of the two alternatives presented in claim 1.  Brief pp. 19-21.  Appellant concludes that claim 26 specifies that the card data token is deleted responsive only to failure of the detokenize and erase request (i.e., via use of the TTL value), and eliminates the alternative in claim 1 of success of the detokenize and erase request.  Id.  Examiner respectfully disagrees with this conclusion and contends that a person of ordinary skill in the relevant art would read claim 26 and determine that more than one reasonable interpretation is possible.  Claim 26 depends on claim 1, and claim 1 indicates that the card data token is deleted responsive to at least one of the TTL value expiring or the detokenize and erase request.  Claim 26 does not explicitly/narrowly indicate that the manner of deletion is responsive to the TTL value expiring, as suggested by Appellant’s response, accordingly, it is unclear whether claim 26 is eliminating one of the deleting alternatives presented in claim 1, as suggested by Appellant, or if claim 26 is providing a third reason as to why/when the card data token is deleted.  Additionally, if claim 26 is indeed providing a third reason as to why/when the card data token is deleted, it is unclear what condition(s) take precedence when it comes to deleting the card data token.  For example, in a situation where the detokenize and erase request fails and the TTL value indicates that the card data token does not expire for another 2 hours, it is unclear when/if the card data token should be deleted.  As another example, in a situation where the TTL value indicates the card data token is expired and is should be deleted, it is unclear what steps would occur when any subsequent detokenize and erase request ultimately fails because the token was already deleted in response to the TTL value previously expiring.  As best understood the card data token can only be deleted once, yet claim 26 reasonably suggest that there is a scenario where it could be deleted responsive to at least one of the TTL value expiring or the detokenize and erase request and deleted [again] responsive to failure of the 
	Dependent claims 27 and 28 recite a substantially similar limitation to that found in claim 26, accordingly, the reasons and rational explained above with respect to claim 26 would also be applicable to claims 27 and 28.

Response to Argument C:  Regarding Step 2A, Prong 1 of the 35 U.S.C. § 101 rejection, Appellant argues that the following limitations are not abstract and enhance the generic PCI-DSS process of the claims:
wherein the PCI-DSS system comprises a payment processing system governed by the PCI-DSS, and wherein the PCI-DSS comprises a standardized security requirement for payment processing systems that perform at least one selected from a group consisting of storing, processing, and transmitting the card data, and
wherein generating the card data token includes adding a time to life (TTL) value to the card data token, the TTL value indicating a maximum amount of time the token service maintains the card data in storage before deleting the card data;
improving security of the card data by deleting the card data token responsive to at least one of the TTL value expiring or the detokenize and erase request.  Brief pp. 21-23.
	This argument is unpersuasive.  The 2019 Revised Patent Subject Matter Eligibility Guidance (hereinafter “2019 PEG”) discusses a multi-step analysis which is followed to determine subject matter eligibility under 35 U.S.C. §101.  Under the 2019 PEG step 2A, Prong 1 analysis, it must be determined whether the claim(s) recite(s) an abstract idea that falls within one or more designated categories of patent ineligible subject matter (i.e., organizing human activity, mathematical concepts, and mental processes) that amount to a judicial exception to patentability.  Here, Appellant errs in their analysis of the claim because they only evaluate three limitations from the claim, and determine that those 
	When claim 1 in its entirety is evaluated it is clear to see that claim is directed to an abstract idea.  The April 14, 2021 non-final Office Action (hereinafter “Action”) identified the abstract idea as “protecting a customer’s payment information (e.g., credit card information) through the use of a tokenization service/system/process that adheres to industry standards (e.g., PCI-DSS) while processing a payment with a payment service.”  Action pp. 8-9.  The Action explained that this concept/abstract idea falls within the Certain Methods of Organizing Human Activity grouping of the 2019 PEG because it describes a fundamental economic practice (e.g., protecting consumer information during a transaction) and/or a commercial or legal interaction (e.g., between the point of sale (POS), the token service, and the payment service).  Id.  Examiner contends that the protecting of customer information, including payment information, through the life cycle of the payment process is a process that is well-established in the financial industry (i.e. a fundamental economic practice).  This fact is seemingly acknowledged in the background section of Appellant’s Specification, which states “When processing payment transactions, payment data must be properly handled and protected throughout its life cycle from the point of sale system though all hosted applications. This is generally accomplished through a layered approach to security that meets well-defined access control and data protection (e.g., encryption, tokenization, hashing) requirements. In addition, card swiped data must meet special handling requirements such as mandatory deletion from system memory post-authorization.”  Specification [0001].  The Specification also indicates PCI-DSS is "a set of security requirements for payment processing systems that store, process[], or transmit card data."  Specification [0022].  Therefore, the 
	Examiner contends that the three limitations indicated by Appellant, and cited above, fall within the abstract idea of “protecting a customer’s payment information (e.g., credit card information) through the use of a tokenization service/system/process that adheres to industry standards (e.g., PCI-DSS) while processing a payment with a payment service.”  For example, the “wherein the PCI-DSS system” limitation describes the particular environment in which the card data token is generated.  However, as previously indicated in the rejection, tying this concept to a particular environment (e.g., a PCI-DSS environment) fails to move the claims beyond a general link of the use of the abstract idea in a particular environment.  Action p. 9.  As per the “wherein generating the card data token includes adding a time to life (TTL) value to the card data token” and “improving security of the card data by deleting the card data token”, both of these limitations are recited at a high level of generality, and, as acknowledged by the background section of Appellant’s Specification, the mandatory deletion of card data is an integral part to protecting payment data.  Specification [0001].  Accordingly, these steps/limitations easily fall within the confines of the abstract idea since the claim is describing these steps/limitations at such a high level of generality.  Examiner finds no indication in the claim, or in the disclosure for that matter, that these three limitations, or any other of the recited limitations, provide sufficient specificity to constitute an improvement to computer functionality itself or to the process of protecting customer’s payment information (e.g., to the PCI-DSS process).
	Furthermore, the PCI-DSS standards indicate that protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection.  See Payment Card Industry Security Standard, Version 3.2.1, Published May 2018 (hereinafter “PCI-DSS”) p. 36.  The PCI-DSS standards also disclose risk mitigation techniques including not storing cardholder data unless absolutely necessary and truncating cardholder data if full PAN is not needed.  Id.  PCI-DSS requirements 
 
Response to Argument D:  Regarding Step 2A, Prong 1 of the 35 U.S.C. § 101 rejection, Appellant refers to Amdocs and argues that the claims and the specification are not abstract because the claimed invention is not directed to the transaction itself, rather, the claims and the specification are directed towards the technical details of how to improve a computer system to process electronic payments more securely, yet remain within existing technical standards.  Brief pp. 23-28.  As best understood, Appellant is actually arguing why the abstract idea is integrated into a practical application (i.e. Step 2A, Prong 2).  Particularly, Appellant identifies the mandatory deletion of card swipe data from system memory as a specific technological problem identified by the specification and solved by the claimed invention.  Brief p. 25.  This argument is unpersuasive.
	 In Amdocs, the claims recited using accounting information correlated to a first network accounting record to enhance the first network accounting record based on a distributed architecture that applied a number of field enhancements in a distributed fashion that represented a critical advance over the prior art by solving a technological problem of massive record flows that previously required massive databases. Amdocs (Isr.) Ltd. v. Openet Telecom, Inc., 841 F.3d 1288, 1300-01 (Fed. Cir. 2016). The claimed distributed enhancement was a critical advance because it enabled load distribution so Id. at 1300.  The claimed enhancing required the generic components to operate in an unconventional manner to improve computer functionality. Id. at 1300-01.
	Here, claim 1 recites generic components arranged in no particular way to perform generic functions of sending, receiving, and storing payment processing data without improving computers or networks.  Tokenized card data is not correlated across the system or between two records as in Amdocs.  Also, there is no distributed computing function.
	As per the deletion of data from the system, Examiner notes that there are only two limitations recited in the claim that address the problem of data deletion.  The first limitation describes, at a high level, that a time to life (TTL) value is added to the card token.  The claim fails to provide any details as to the specific manner the TTL value is added to the card token, and the Specification merely indicates that the token service stores encrypted card data with the TTL value on the token service.  Specification [0041].  Accordingly, there does not appear to be any technological innovation in the manner the TTL value is added to the card token.  Rather, the step is the functional equivalent of storing and/or associating information together in a database.  The second limitation describes, at a high level, that security is improved by deleting the token.  The second limitation provides two options/alternatives as to why/when the card data token will be deleted.  The first option/alternative indicates that the card data token should be deleted responsive to the TTL value expiring.  Again, the step of deleting is recited at a high level of generality and Appellant’s disclosure does little to offer any additional details that would suggest that deleting data in response to an expiration date/time offers a technological innovation.  In fact, the disclosure is silent as to how the payment service would determine when/if the TTL value is expired.  The second option/alternative does not even use the TTL value, rather, it merely deletes the card data token in response to a request.  Accordingly, there is a plausible scenario where 
 
Response to Argument E:  Appellant submits that the prior Decision of August 24, 2020 incorrectly affirmed the prior rejection under 35 U.S.C. § 101.  This argument appears misplaced in an appeal brief as the purpose of the appeal brief is to explain why the examiner (as opposed to the PTAB) erred as to each ground of rejection contested by appellant.  See 37 CFR 41.37.

Response to Argument F:  Regarding Step 2A, Prong 1 of the 35 U.S.C. § 101 rejection, Appellant argues that improvements to programming can, under circumstances such as that described in Amdocs (Israel) Ltd., v. Openet Telecom, Inc., 841 F.3d 1288, 120 U.S.P.Q.2d 1527 (Fed. Cir. 2016), result in the improvement of a computer as a tool.  Brief pp. 29-30.  Examiner agrees, however, in this instance Appellant does not offer a persuasive argument that the claims offer an improvement to programming because the claims do not include sufficient specificity.  Appellant appears to have a desire to ensure that PCI-DSS standards/requirements are followed, however, the claim(s) fall(s) short in describing, in sufficient detail, how this will be accomplished.  Rather, the claims generically provide for the sending, receiving, storing, and deleting of payment processing data via the use of a generic processing device (i.e. a token service).  That is, the claim is performing generic computing functions via a generic computing component.

Response to Argument G:  Regarding Step 2A, Prong 2 of the 35 U.S.C. § 101 rejection, Appellant argues that “Even if the Board were to conclude that the above-argued claim limitations were abstract (a disputed point), the same claim limitations integrate any recited abstract idea into the practical application of improved security in computerized electronic transactions.”  Brief p. 30.  Examiner respectfully disagrees.  Appellant merely makes a general allegation why the claim is integrated into a practical application without providing any specific reasoning.  As previously indicated in the Action, Claim 1 recites the additional elements of: a token service operating in a payment card industry data security standard (PCI-DSS) system; and a payment service operating in the PCI-DSS system.  Action p. 9-10.  Both the token service and the payment service are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer component, system, and/or service.  See MPEP 2106.05(f).  Furthermore, the fact that the token service and payment service operate in a payment card industry data security standard (PCI-DSS) system adds nothing to the claim(s) other than tying the abstract idea to a particular technological environment.  Even if the tasks/steps in the claim are based on rules of a PCI-DSS system, such broadly recited rules, without more, do not take claim 1 out of the abstract idea realm.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.  Looking at the elements as a combination does not add anything more than the elements analyzed individually.

Response to Argument H:  Regarding Step 2A, Prong 2 of the 35 U.S.C. § 101 rejection, Appellant argues that “Clearly the Examiner believes the combination of limitations are not well-understood, routine, or conventional in the field; otherwise, the Examiner would not have withdrawn the obviousness rejection.”  Brief p. 31.  Examiner respectfully disagrees.  The position taken by Appellant that a non-obvious Alice, the Supreme Court described an “inventive concept” as “an element or combination of elements that is ‘sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the [ineligible concept] itself.’”  Alice, 134 S. Ct. at 2355 (quoting Mayo, 132 S. Ct. at 1294).  It is true that the 101 patent-eligibility inquiry and, the 102/103 novelty/obviousness inquiry might sometimes overlap (see e.g., Mayo, 132 S. Ct. at 1304), but a claim for a new abstract idea is still an abstract idea (as is the case here).  Synopsys v. Mentor Graphics Corp., _ F.3d _, 120 U.S.P.Q.2d 1473 (Fed. Cir. 2016).   Also note that in Diehr, the court found that “[t]he ‘novelty’ of any element or steps in a process, or even of the process itself, is of no relevance in determining whether the subject matter of a claim falls within the § 101 categories of possibly patentable subject matter.”  In other words, novelty test should not belong in determining 101.
Additionally, when analyzed under step 2B, the claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception.  The additional elements of using a token service and the payment service to implement the abstract idea amounts to no more than mere instructions to apply the exception using a generic computer component, system, and/or service.  Mere instructions to apply an exception using a generic computer component, system, and/or service cannot provide an inventive concept.  Considered as an ordered combination, the different services/computing components recited in the claims adds nothing that is not already present when the steps are considered separately.  Thus, the claims at issue amount to nothing significantly more than instructions to apply the abstract ideas of a fundamental economic practice and/or a commercial or legal interaction using some unspecified, generic computer/service.  Accordingly, this is not enough to transform an abstract idea into a patent-eligible invention.



Respectfully submitted,
/J.F./Examiner, Art Unit 3685                                                                                                                                                                                                        September 1, 2021                                                                                                                                                                                               
Conferees:

/PATRICK MCATEE/Supervisory Patent Examiner, Art Unit 3685                                                                                                                                                                                                        
/STEVEN S KIM/Primary Examiner, Art Unit 3685                                                                                                                                                                                                        
Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.