Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claim 13 is objected to because of the following informalities: In claim 13: line 4, “indicator and.” Should be “indicator”. Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Rosener US. Pub. No.:  20100042848 A1 in view of Pitroda et al. (Hereinafter referred to as Pitroda; US. Pub. No.: 20070198432 A1).

s per claim 1:
Rosener discloses a computer-implemented method comprising:
receiving, at a secure remote transaction server from a client device, a request to enroll an account ([0014]: a user or owner of the I/O device can register or personalize the device to include a previously and optionally independent user certificate that contains information of the user (e.g., name, e-mail address, phone number, etc.). The registration or personalization server combines the information from the manufacturer certificate and independent user certificate to form a personalized certificate in order to ensure the trustworthiness of these digital certificates; [0019]:  Each user may enroll one or more user credentials with an authenticator (e.g., a bank, a merchant, etc.), in which the user credentials are entered/checked and stored for later authentication; [0021]: Moreover, an optional secure link is created between the personalized I/O device and the registration, enrollment, or authentication servers for a remote secure transaction, this secure link extends beyond the traditional one for remote transactions, ending at the browser and it  is configured to provide additional security for transmitting user credentials hence achieving higher confidence of credential source authenticity because they cannot be easily copied electronically);
verifying, by the secure remote transaction server, that the client device has authority to access the account ([0014]: to ensure the trustworthiness of these digital certificates, each of the certificates might be traceable to a trusted entity (e.g., certification authority (CA)); [0015] The personalized certificate and signing process is based on Public Key infrastructure (PKI));
storing, by the secure remote transaction server, at least a public key of a cryptographic key pair in association with the account, wherein at least a private key of the cryptographic key 
Rosener does not explicitly disclose generating a token to be associated with the account, the token being stored in association with the account. Pitroda, in analogous art however, discloses generating a token to be associated with the account, the token being stored in association with the account ([0046]: the token is transmitted directly to a user; the token is transmitted to a personal client facility including at least one of a PC, mobile phone, and a public device for temporary personal use; [0065]: issuing a token to a user of a universal electronic transaction facility prior to receiving the data, wherein the data is associated with the token, a transaction that is based on verification of the token, issuing the token  done securely and electronically personalized to the user, the token may be associated with at least one of a credit card, a bank account, a frequent flyer card, a stored value card, a loyalty card, an insurance card, a driver's license, a bill, or a coupon; [0067]: a data token associated with the universal electronic transaction facility, a token verification transaction a real world transaction associated with a biometric parameter, three-dimensional authentication security that includes a user identity verification facility, a universal electronic transaction verification facility, and a domain 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the account in the account limitation disclosed by Rosener to include generating a token to be associated with the account, the token being stored in association with the account. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide methods and systems for supporting secure electronic transactions, including those that support security at the domain, user and device level as suggested by Pitroda (0010). Furthermore, it would have been obvious to one of ordinary skill in the art to include in the secure remote transaction server of Rosener to apply a known technique of generating a token to be associated with the account, the token being stored in association with the account in order to use the token in transaction verification process in a secure manner.

As per claim 2:
Rosener discloses receiving, by the secure remote transaction server from an access device, a request to complete a transaction in association with the account, the request including a signed authentication indicator ([0034]: In a remote secure transaction, the authenticator 240 is configured to authenticate the user 205 over the data network 230 (e.g., Internet) under public key infrastructure (PKI); [0035]: To authenticate the user 205, one or more user credentials are transmitted between the I/O device 210 and the authenticator 240. In order for the I/O device 210 to become a trusted credential source, the I/O device 210 needs to be personalized. In one embodiment, the I/O device 210 is configured with a personalized certificate 214 (under PKI) that contains information of the I/O device 210 and the user 205 combine);
verifying, by the secure remote transaction server, the authentication indicator using the public key stored in association with the account (0035:  The personalized certificate 214 is associated with pubic and private 215 keys. The private key 215 is used for encrypting a hash (i.e., signing a credential) or decrypting data that has been encrypted with its public key (not shown); and
upon verifying the authentication indicator, providing the token to the access device (0051: The credentials are either sent signed, or sent using a secure link based on the certificate, or both. The stored user credentials are used for later authentication. In addition to the credentials, the certificate may be optionally stored as well).

As per claim 3:


As per claim 4:
Rosener discloses wherein verifying the authentication indicator using the public key comprises performing a second cryptographic operation on the signed authentication indicator using the public key (0035-0036: first and second cryptographic hashing generation).

As per claim 5:
Pitroda discloses wherein verifying that the client device has authority to access the account comprises:
identifying, by the secure remote transaction server, an authorization entity associated with the account based on information in the request ([0394-0398]: receiving authorization from the service facility, this authorization may be generated by main service facility 142 on behalf of the service facility, the authorization may be contingent upon the verification of a signature, a code, or an approval, the authorization may be received at electronic facility 101 or support computer 134 via external connector 131; [0403]: There are many types of business processes that can be supported by a system that has an electronic transactions facility 101 that depicts a ticket issuance process where a user, perhaps in association with the client device 162, the merchant systems 170, and/or the main service facility 142, may be issued a ticket); and


As per claim 6:
Pitroda discloses wherein the authenticity of the account is determined by the authorization entity using a one-time passcode (0705: issue an OTAC (One Time Activation Code) to the user for each electronic transaction facility 101; 0710:  The service provider 168 may issue an OTAC to the user over a relevant channel (e.g. e-mail, courier). When the electronic transaction facility 101 contacts the service provider 168 for the first time, the OTAC may be verified by the service provider 168 for the initial authentication).

As per claim 7:
Pitroda discloses wherein the authorization entity transmits the one-time passcode to the client device via a communication channel stored in relation to the account ([0394-0398]; [0403]; (0441] The central service facility coordinates transactions between the UET and the ticket merchant facility provide or support any related authentication, authorization, security, financial, or other functions associated with the ticketing transaction).

As per claim 8:


As per claim 9:
Rosener discloses wherein the cryptographic key pair is generated on the secure remote transaction server and the method further comprises transmitting the private key to the client device ([0050] After verifying the certificates, the registration or personalization server 620 combines the device and user information from the respective MFR and independent user certificates to create a personalized certificate 624, which is sent back to the I/O device 610 along with an associated private key. The newly generated personalized certificate and private key may be encrypted with a public key of the manufacturer certificate before sending back. This ensures only the device that has the corresponding private key can decrypt and receive the personalized certificate and associated private key. With the combination in the personalized certificate and associated private key, the I/O device 610 can be used as a trusted credential source).

As per claim 10:
Rosener discloses wherein the public key is forwarded to an authorization entity associated with the account (0050).

As per claims 11-12:
Claims 11-12 are directed to a secure remote transaction server comprising a processor; and a memory including instructions that, when executed with the processor, cause the secure remote transaction server having substantially similar claimed features as recited in corresponding method claims 1-2 respectively and therefore claims 11-12 are rejected with the same rationale given above to reject corresponding limitations of claims 1-2.

As per claim 13:
Pitroda discloses wherein verifying the authentication indicator using the public key comprises generating an unsigned version of the signed authentication indicator and assessing the unsigned version of the signed authentication indicator and (0475: Token may without limitation be associated with a service or application such as a credit card, a bank account, a frequent flyer card, a stored value card, a loyalty card, an insurance card, a driver's license, a bill, or a coupon, the electronic facility 101 may render a token, securely and electronically, the token so that it is visible to the user, The token may be procured from one of a plurality of domains, through any wired or wireless medium, and may be used during the initiation or completion of a transaction; The token may be encrypted, such as with 3DES or AES, when issued and/or when stored in the electronic facility 101).

As per claim 14:


As per claim 15:
Pitroda discloses wherein assessing the unsigned version of the signed authentication indicator comprises determining whether a likelihood value in the unsigned version of the signed authentication indicator exceeds a threshold value (0303: provides the ability to securely encrypt tokens and receipts, not only when they are issued, but also when they are stored on the client device that includes the ability to configure the user-Interface and various personalized and/or non-personalized applications on the client device 162 (which may be a personal device or a public device taken for temporary personal use) based on the user's preferences and/or through the support of an expert system capable of learning over a period of time based on the user's behavior, usage patterns, transaction history and qualified external inputs).

As per claim 16:


As per claim 17:
Pitroda discloses wherein the token is generated as a random string of characters (0705: an OTAC (One Time Activation Code) to the user for each electronic transaction facility 101. This OTAC may be delivered to the user over a relevant channel (e.g., E-mail, Courier, etc.). The OTAC may be an 8-character strong random generated for the given electronic transaction facility 101 by the server and stored securely on the server for verification. Similarly, it is obvious and common sense try for one of ordinary skill in the art to generate the token as a random string of characters, since generation of radon string is a readily available function).

As per claim 18:
Pitroda discloses wherein generating a token to be associated with the account comprising receiving a token from an authorization entity associated with the account (0303).

As per claim 19:
Rosener discloses a computer-implemented method comprising:
receiving, by a communication device, a request to register authentication data for an account associated with a service provider ([0014]: a user or owner of the I/O device can register 
prompting, by the communication device, a user of the account to provide the authentication data ( 0019: user credentials may include, but are not necessarily limited to, voiceprint sample, fingerprint sample, other biometric measures (e.g., heart rhythm), password/pass phrase/pass-set, user possessed tokens (e.g., a one-time password generated on the fly, a credit card, etc.). Each user may enroll one or more user credentials with an authenticator (e.g., a bank, a merchant, etc.), in which the user credentials are entered/checked and stored for later authentication);
receiving, by the communication device, the authentication data from the user ([0020]: additionally, when the user credentials are sent under PKI, a hash is created from each of the user credentials to be sent for authentication using a predetermined hash creation scheme. The 
registering, by the communication device, the authentication data onto the communication device ([0030-0031]: registering or personalizing the I/O device and enrolling the personalized I/O device to be a trusted credential source); 
obtaining, by the communication device, a private key of a cryptographic key pair ([0048-0049]: The online transmission of the user credentials during enrollment or authentication is conducted using PKI, in which a hashing process (i.e., hash generation) is performed to transform each of the one or more user credentials into a hash; Because both the MFR and independent user, and personalized certificates are traceable using existing technology (i.e., PKI), any enrollment/authentication site coupled to the Internet can be used for enrolling the personalized I/O device); and
associating, by the communication device, the private key with the account and the authentication data, wherein a secure remote server links a public key of the cryptographic key pair to the account ([0016]: The certificate is associated with a pair of asymmetric keys—private and public. The private key is used for signing a data object (e.g., a user credential) and kept secret by the owner. A corresponding public key is then used for decrypting the digital signature and verifying the integrity of the object; [0017]: Under PKI, a digital certificate is made containing at a minimum, the public key, the certificate-owner ID and the certificate-issuer ID. The certificate is then signed by the certificate issuer, making it traceable to the certificate authority or CA. It may also contain other information (like user name, validity date); 0051: the enrollment server 640 optionally sets us a secure link and asks for a personalized certificate 624).

Rosener does not explicitly disclose a token to be associated with the account. Pitroda, in analogous art however, discloses a token to be associated with the account ([0046]: the token is transmitted directly to a user; the token is transmitted to a personal client facility including at least one of a PC, mobile phone, and a public device for temporary personal use; [0065]: issuing a token to a user of a universal electronic transaction facility prior to receiving the data, wherein the data is associated with the token, a transaction that is based on verification of the token, issuing the token  done securely and electronically personalized to the user, the token may be associated with at least one of a credit card, a bank account, a frequent flyer card, a stored value card, a loyalty card, an insurance card, a driver's license, a bill, or a coupon; [0067]: a data token associated with the universal electronic transaction facility, a token verification transaction a real world transaction associated with a biometric parameter, three-dimensional authentication security that includes a user identity verification facility, a universal electronic transaction verification facility, and a domain verification facility, a plurality of user data tokens associated with the universal electronic transaction, associated with each user data token, personalized to a user; [0077]: providing a personalized token in association with a universal electronic transaction facility a separate security protocol based on at least a domain, a device and a user of the universal electronic transaction facility: a driver's license, a passport. In versions of this variation, the personalized token may be at least one of the following kinds of token: a secure and electronic token, a branded token. The personalized token  provided at a point of transaction in real time; [0200] The financial service may include securely issuing, to the universal electronic transaction facility, at least one electronic replica of at least one of the following items: a bill from 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the account in the account limitation disclosed by Rosener to include a token to be associated with the account. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide methods and systems for supporting secure electronic transactions, including those that support security at the domain, user and device level as suggested by Pitroda (0010). Furthermore, it would have been obvious to one of ordinary skill in the art to include in the registered authentication of Rosener to apply a known technique of associating a token with the account in order to use the token in transaction verification process in a secure manner.

As per claim 20:
Rosener discloses:
receiving, by the communication device, a request to access the account (0019: Each user may enroll one or more user credentials with an authenticator);
prompting, by the communication device, the user to provide the authentication data (0019: user credentials are entered/checked and stored for later authentication);
receiving, by the communication device, the authentication data from the user (0019: user credentials are entered/checked and stored for later authentication);

determining, by the communication device, that the received authentication data matches the registered authentication data (0051: the enrollment server 640 optionally sets us a secure link and asks for a personalized certificate 62);
generating, by the communication device, an authentication indicator indicating the match ([0050]: After verifying the certificates, the registration or personalization server 620 combines the device and user information from the respective MFR and independent user certificates to create a personalized certificate 624);
signing, by the communication device, the authentication indicator using the private key (0019: During authentication, one or more user credentials are signed using a private key (e.g., private key associated with personalized certificate and/or manufacturer certificate) of the personalized I/O device before being sent to an authenticator. The authenticator would only trust the received credentials when such credentials are signed and sent from the personalized I/O device); and
sending, by the communication device, the signed authentication indicator to the secure remote server in an access request, wherein the secure remote server releases the token to the service provider to grant the user access to the account in response to verifying the signed authentication indicator using the public key [0017]: Under PKI, a digital certificate is made 


BRI (Broadest Reasonable Interpretation)
The above claims under examination have been given their BRI consistent with the applicant’s disclosure as it would be interpreted by one of ordinary skill in the art and the following claim words or terms or phrases or languages have been given the following reasonable BRI considerations to them in view of the applicant’s disclosure in order to construe boundary and scope of the claimed limitations. For example, for the following claim words or terms or phrases or languages, the examiner recites from the applicant’s disclosure:

Secure Remote Tansaction (SRT): 	[0039]: A “secure remote transaction (SRT) platform” may be any entity capable of facilitating a transaction communicating with an initiator (0032: An “initiator” may be any entity capable of facilitating communication between a resource provider and one or more SRT platforms), a facilitator (0031: A “facilitator” may be any entity capable of authenticating a user of a client device), and a transaction processing network. In some embodiments, a SRT platform may include a SRT server, a token provider, and a transaction processing network. An SRT platform may be configured to perform one or more processes that include: receive a request for a transaction from an initiator, identify an account associated with 

Token:		[0041]: A “token” may refer to a substitute identifier for some information (an identifier for a transaction account as substitute for an account identifier - a primary account number (PAN); a token may include a series of alphanumeric characters as a substitute for an original account identifier; a random string of characters; a PAN to initiate, authorize, settle or resolve a transaction; the original credential. [0042] “Tokenization” may refer to a process by which data is replaced with substitute data to enhance transaction efficiency, improve transaction security, increase service transparency, or to provide a method for third-party enablement. [0043] A “token service provider” may refer to an entity including one or more server computers that generates, processes, and/or maintains tokens. It may include or be in communication with a token vault where the generated tokens are stored. Specifically, the token vault may maintain one-to-one mapping between a token and the data (e.g., a real account identifier) represented by the token.  [0044] A “token vault” may refer to a repository that maintains established token-to-PAN mappings. According to various embodiments, the token vault may also maintain other attributes of the token requestor that may be determined at the time of registration and that may be used by the token SRT server to apply domain restrictions or other controls during transaction processing.

Authentication Indicator: 	[0070]: The facilitator application 232 may be a mobile application installed upon, and executed from, the client device 204, the facilitator application 232 may be configured to authenticate the user and generate an authentication indicator that indicates whether or not the user is authenticated. The authentication application 231 of the client device 204 may then be configured to sign the authentication indicator by performing a cryptographic algorithm on the authentication indicator using the private cryptographic key 234 which has been provided to the client device by the account binding module 220. [0095]: The request may include various details related to the requested transaction along with a signed authentication indicator. For example, upon initiation of the requested transaction, the user may be prompted to provide one or more biometric samples. The biometric samples provided by the user may be processed by a facilitator application on the client device to determine the authenticity of the user. Once determined, the facilitator application may generate an authentication indicator that indicates a likelihood that the user requesting the transaction is the user enrolled into the account. The client device may then sign this authentication indicator by performing a cryptographic operation on the authentication indicator using the private key generated and stored on the client device at 706. The signed authentication indicator may be provided to the secure remote transaction server within the request received at 710.

Conclusion
The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784.  The examiner can normally be reached on 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W KIM can be reached on 5712723804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/TECHANE GERGISO/Primary Examiner, Art Unit 2494