DETAILED ACTION
 	Claims 21-40 are pending. Claims 1-20 are canceled. This is in response to the application filed on October 22, 2019 which is a Continuation of 15/649923 filed on July 14, 2017, granted under Patent 10,491,389.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 21 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10,491,389. Although the claims at issue are not identical, they are not patentably distinct from each other because they both recite similar features as follows:


Claim   21:                                                         Claim 1 of Patent 10,491,389:
     receiving, by a directory server computer from a resource provider computer, an authentication request message including transaction data and a token request indicator, each portion of the transaction data being different from a token; 

 	transmitting the authentication request message to an access control server computer associated with an authorizing entity, wherein receipt of the authentication request message causes the access control server computer to authenticate a user and transmit an authentication response message; 







     in response to identifying that the token request indicator was included in the authentication request message, transmitting, by the directory server computer to a token provider computer, a token request message requesting a new token, the token request message being transmitted based at least in part on the token request indicator, wherein transmitting the token request message causes the token provider computer to provision the new token and generate an association between the new token and an identifier of the transaction data; receiving, by the directory server computer, the new token from the token provider computer; 
      modifying, by the directory server computer, the authentication response message to include the new token; and  	



wherein the directory server computer subsequently transmits the authentication request message to an access control server computer associated with an authorizing entity, wherein receipt of the authentication request message causes the access control server computer to authenticate the user, generate a verification value representing the authentication, and transmit an authentication response message comprising the verification value to the directory server computer;  


computer, the authentication response message comprising the verification value 
and a new token, wherein the new token is provisioned by a token provider 
computer and obtained by the directory server computer from the token provider 
computer based at least in part on inclusion of the token request indicator in 
the authentication request message, and wherein provisioning the new token 
comprises generating the new token and generating an association between the new token and a portion of the transaction data;  




   



	Claims 22-27 are rejected as being depended to claim 21.
	Claim 28 is rejected in view of claim 13 of Patent 10,491,389 for the same reasoning above.
 	Claims 29-34 are rejected as being depended to claim 28.
	Claim 35 is rejected in view of claim 7 of Patent 10,491,389 for the same reasoning above.
	Claims 36-40 are rejected as being depended to claim 35.
	This is an anticipatory rejection.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –




Claims 21, 24-28, 30-31, 34-38 and 40 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Dimmick et al. PG Pub 20160321652 (hereinafter Dimmick)
 	Regarding claim 21, Dimmick discloses a computer-implemented method, comprising: 
 	receiving, by a directory server computer from a resource provider computer, an authentication request message including transaction data and a token request indicator, each portion of the transaction data being different from a token (par. [0087]-[0088] disclose “…the consumer provides data, such as transaction data, identification data, payment data, etc. … The data may include a token representing an account number issued to the consumer by an issuer of consumer's payment account. The merchant computer 204 … At step 352, the merchant computer 204 may send the authentication request message including at least the token to a merchant plug-in module 306…the merchant plug-in module 306 (resource provider computer) forwards the authentication request message to the directory server 316. At step 354, the directory server 316 may analyze the authentication request message and determine that the message includes a token…”); 
 	transmitting the authentication request message to an access control server computer associated with an authorizing entity, wherein receipt of the authentication request message causes the access control server computer to authenticate a user and transmit an authentication response message (par. [0091]-[0093] disclose “…the directory server 316 may identify the issuer access control server 218 based on the 
 	receiving, by the directory server computer, the authentication response message; in response to identifying that the token request indicator was included in the authentication request message, transmitting, by the directory server computer to a token provider computer, a token request message requesting a new token, the token request message being transmitted based at least in part on the token request indicator, wherein transmitting the token request message causes the token provider computer to provision the new token and generate an association between the new token and an identifier of the transaction data (par. [0094]-[0095] disclose “…the access control server 218 sends the authentication response message including the account number and the authentication value to the directory server 316. The directory server 316 may re-tokenize the account number included in the authentication response message by interacting with the token service provider 210… At step 360, the directory server 316 may send the account number to the token service provider 210 and receive the corresponding token from the token service provider 210… (once) the consumer has been authenticated by the access control server 218…the merchant computer 204 may start the payment transaction by generating a transaction authorization request message including at least the authentication value and the token”); 
 	receiving, by the directory server computer, the new token from the token provider computer; modifying, by the directory server computer, the authentication response message to include the new token (see above, At step 360, the directory 
 	transmitting, by the directory server computer, the authentication response message as modified to the resource provider computer (par. [0094]-[0095] disclose “The directory server 316 may modify the authentication response message to replace the account number with the retrieved token. At step 361, the directory server 316 may send the modified authentication response message including at least the token and the authentication value to the merchant plug-in module 306. The merchant plug-in module 306 may forward the modified authentication response message to the merchant computer 204 at step 362…(once) the consumer has been authenticated by the access control server 218 …the merchant computer 204 may start the payment transaction”. 

Regarding claim 24, Dimmick discloses wherein transmitting the authentication response message as modified to the resource provider computer causes the resource provider computer to: generate an authorization request message comprising the new token; and transmit, to an authorizing entity computer, the authorization request message comprising the new token (par. [0094]-[0095] disclose “…(the) directory server 316 may send the modified authentication response message including at least the token (new token presented in claim 21 rejection) and the authentication value to the merchant plug-in module 306. The merchant plug-in module 306 may forward the modified authentication response message to the merchant computer 204 …(where) the merchant computer 204 may start the payment transaction by generating a transaction authorization request message including at least the authentication value and the token…” where the request transmitting a data request message to the access control server computer; and receiving, from the access control server computer, a data response message comprising user-specific data associated with the user, wherein the authentication response message received from the directory server computer further comprises the user-specific data received from the access control server computer (par. [0091]-[0095] discloses “…the directory server 316 may identify the issuer access control server 218 based on the account number and send the modified authentication request message including at least the account number to the issuer access control server 218 for authentication…(the) access control server 218 may interact with the consumer so that the consumer may authenticate his or her identity by presenting authentication information to the access control server 218… the consumer authenticates his or her identity by providing a password, credential, or other identifying information previously associated with their account ...Upon authenticating the consumer, the access control server 218 generates an authentication response message including at least the account number and an authentication value indicating whether the consumer has been authenticated”).  	Regarding claim 26, Dimmick discloses wherein receipt of the authentication request message further causes the access control server computer to provide user-specific data associated with the user within the authentication response message transmitted to the directory server computer (as presented in claim 25 rejection, the wherein the user-specific data comprises at least one of: a billing address, a phone number, an electronic mail address, an account identifier, or transaction device data associated with the user (par. [0042] discloses user-specific data such as user name, user address data, user email address, user phone number, etc.. Furthermore, par. [0093] discloses the authentication response message including at least the account number suggesting that the access control server 218 can provide more user personal data if desired in the response message).  	Regarding claim 28, Dimmick discloses a directory server computer, comprising: a processor, and a computer readable medium coupled to the processor, the computer readable medium comprising code, executable by the processor, for implementing a method comprising: receiving, from a resource provider computer, an authentication request message including transaction data and a token request indicator, each portion of the transaction data being different from a token; transmitting the authentication request message to an access control server computer associated with an authorizing entity, wherein receipt of the authentication request message causes the access control server computer to authenticate a user and transmit an authentication response message; receiving the authentication response message; in response to identifying that the token request indicator was included in the authentication request message, transmitting, to a token provider computer, a token request message requesting a new token, the token request message being transmitted based at least in part on the token request indicator, wherein transmitting the token request message causes the token provider computer to provision the new token and generate an association between the new token and an identifier of the transaction data; receiving the new token from the token provider computer; modifying the authentication response message to include the new token; and transmitting the authentication response message as modified to the resource provider computer. 
See claim 21 rejection. 	Regarding claim 30, Dimmick discloses wherein transmitting the authentication response message as modified causes the resource provider computer to transmit an authorization request message comprising the new token. See claim 24 rejection. 	Regarding claim 31, Dimmick discloses wherein receipt of the authentication request message by the access control server computer further causes the access control server computer to provide user-specific data associated with the user within the authentication response message. See claim 26 rejection. 	Regarding claim 34, Dimmick discloses wherein the new token is generated as part of an authentication process for authenticating the user associated with the transaction data (the account number is re-tokenized in the authentication response message).  	Regarding claim 35, Dimmick discloses a computer-implemented method, comprising: 
receiving, by a resource provider computer associated with a resource provider, transaction data corresponding to a transaction, each portion of the transaction data being different from a token; transmitting, by the resource provider computer to a directory server computer, an authentication request message including the transaction data and a token request indicator, wherein the directory server computer subsequently transmits the authentication request message to an access control server computer associated with an authorizing entity, wherein receipt of the authentication request message causes the access control server computer to authenticate a user and transmit an authentication response message to the directory server computer; and receiving, by the resource provider computer from the directory server computer, the authentication response message comprising a new token, wherein the new token is provisioned by a token provider computer and obtained by the directory server computer from the token provider computer based at least in part on inclusion of the token request indicator in the authentication request message, and wherein provisioning the new token comprises generating the new token and generating an association between the new token and a portion of the transaction data. 	See claim 21 rejection.
generating, by the resource provider computer, an authorization request message comprising the token; and transmitting the authorization request message comprising the token to an authorization entity computer for the transaction. See claim 24 rejection. 	Regarding claim 37, Dimmick discloses wherein the receipt of the authentication request message further causes the directory server computer to: transmit a data request message to the access control server computer; and receive, from the access control server computer, a data response message comprising user-specific data associated with the user. See the process when the directory server sending authentication message and receiving the authentication response messages from the access control server cited in claim 21. 	Regarding claim 38, Dimmick discloses wherein the directory server computer updates the authentication response message to comprise the user-specific data received from the access control server computer. See claim 25 rejection. Re-tokenized is updating. 	Regarding claim 40, Dimmick discloses wherein the portion of the transaction data comprises an account identifier. See account number presented in claim 21 rejection.
	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 22-23 , 29 and 32 are rejected under 35 U.S.C. 103 as being unpatentable over Dimmick in view of PG Pub 20160301683 (hereinafter Laxminarayanan)
 	Regarding claim 22, Dimmick does not disclose receiving, by the directory server computer from the resource provider computer, a cryptogram request message associated with the new token, wherein receipt of the cryptogram request message causes the directory server computer to: transmit the cryptogram request message to the token provider computer; and receive, from the token provider computer, a cryptogram response message comprising a cryptogram associated with the new token from the token provider computer; and transmitting, by the directory server computer to the resource provider computer, the cryptogram response message comprising the cryptogram associated with the new token. Laxminarayanan discloses the use of  (par. [0043]-[0063] disclose a payment transaction where “…server computer 105 (directory server) may send a corresponding payment token to and request a token cryptogram based on the payment token from payment processing network 107 (token provider)…The token may be associated with an account number of a payment account of user 101 that was identified by the transaction data identifier … payment processing network 107 may generate a token cryptogram based on the token and send the token cryptogram to server computer 105…”). Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Dimmick with Laxminarayanan to teach the claimed feature by incorporating cryptogram technique in payment transaction data.  One would have done so to utilize a token cryptogram with a browser to facilitate a transaction to hide sensitive data such that limiting the number of entities or computing devices that have access to the sensitive data reduces the exposure of the sensitive data for improper use (par. [0012]). 	Regarding claim 23, Laxminarayanan discloses wherein the cryptogram is associated with one or more token restrictions (par. [0068] discloses the processing network to link the token cryptogram that it generates with the unique identifier and then enforce a domain restriction). 

Regarding claim 29, Dimmick and Laxminarayanan discloses receiving, from the resource provider computer, a cryptogram request message associated with the new token, wherein receipt of the cryptogram request message causes the directory server computer obtain a cryptogram associated with the new token from the token provider computer; and transmitting, to the resource provider computer, a cryptogram response message comprising the cryptogram associated with the new token. See claim 22 rejection. 
 	Regarding claim 32, Dimmick and Laxminarayanan disclose wherein a cryptogram corresponding to the new token is generated as part of generating the new token (Dimmick teaches re-tokenize the account number included in the authentication response message (par. [0094]) and Laxminarayanan teaches generating a token cryptogram based on the sent token where the token is associated with an account number (par. [0047])). Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Dimmick with Laxminarayanan to teach the claimed feature by incorporating cryptogram technique in payment transaction data.  One would have done so to utilize a token cryptogram to arrive at the claimed invention as an obvious variation.
  	Allowable Subject Matter
Claims 33 and 39 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Inquiry Communication
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRI M TRAN whose telephone number is (571)270-1994.  The examiner can normally be reached on Mon-Fri: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469)295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/TRI M TRAN/Primary Examiner, Art Unit 2494