DETAILED ACTION
The following NON-FINAL Office action is in response to Request for Examination (RCE) filed on March 31, 2021 for 15499709. 
	
Acknowledgements

Claims 1-20 are pending.
Claims 1-20 have been examined.


Notice of Pre-AIA  or AIA  Status

The present application, filed on or after December 13, 2013, is being examined under the first inventor to file provisions of the AIA .


Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action 06/31/2021 has been entered.

Response to Arguments

35 USC § 101
In response to Applicant’s arguments for claim rejections under 35 USC § 101, Applicant argues that the pending claims are not directed to an abstract idea and believes that the claims do not fall into any categories of abstract ideas. Also Applicant argues the pending claims include additional elements that enable the claimed system to solve these specific problems of transmitting unprotected sensitive or personally identifiable data, such as a credit card or social security number, over an unsecured network. Applicant believes that since the EDP computing device retrieves the protected data from the memory device and completes the interaction by forwarding the protected data over an existing secure connection to a separate computing device such as a bank without ever transmitting or otherwise exposing the protected data to the business entity computing device which makes it a practical application that improves network security for sensitive personal information.
Examiner respectfully disagrees as the currently amended claims are still reciting requesting a traveler’s credit card or check which falls under “method of organizing human activity” grouping of abstract ideas. Specifically, the claims are falling under “fundamental economic principles or practices” explicitly mitigating risk to the consumer because the claims are reciting steps for generating and transmitting a token request to ¶0016) hence mitigating risk. Also Examiner further disagrees as the judicial exception is still not integrated into a practical application because the additional elements of the claims such as the use of “a non-transitory computer readable medium that includes computer executable instructions for protecting sensitive data of a user during a computer interaction between the user and a business entity computing device associated with a business entity is provided that when executed by an EDP computing device including a processor and a memory device, the computer executable instructions cause the EDP computing device” (See ¶0006 PGPUB Specification) carry out the limitations of Claim 1 such as “generating and transmitting a token request to the user, user receiving the token request and selecting an account, receiving the token response and performing a lookup of the account, transmitting the protected data to a third party (bank or payment processor)” merely describe using a computer as a tool to perform an abstract idea and/or generally link the use of a judicial exception to a particular technological environment. These additional limitations do not define a practical application as they do not describe any improvement to technology as the use of a EDP computing device, business entity computing device and user computing device are being used as tools to implement the abstract idea and/or generally link the use of the abstract idea to a particular technological environment] which does not render the claim patent eligible because it requires no more than a computer performing functions that correspond to acts required to carry out the abstract idea. 
Applicant argues that the pending claims clearly recite more than well-understood, routine, or conventional activities at least with respect to completing computer interactions between users and business entities by only transmitting non-sensitive identifying information to a business entity computing device associated with the business entity, wherein the business entity then forwards the non-sensitive identifier to the claimed system, which retrieves sensitive ("protected") data and completes the computer interaction without ever transmitting or otherwise presenting the protected data to the business entity computing device. Examiner respectfully disagrees as the specific limitations “generating and transmitting a token request to the user, user receiving the token request and selecting an account, receiving the token response and performing a lookup of the account, transmitting the protected data to a third party (bank or payment processor)” are being evaluated as being well-understood, routine, or conventional activities at least with respect to completing computer interactions between users and business entities. The claimed generic system with programmed processor(s) such as an EDP computing device, business entity computing device and user computing device operates in its ordinary and conventional capacity to perform the well-understood, routine, and conventional functions of generating and transmitting a token request to the user, user receiving the token request and selecting an account, receiving the token response and performing a lookup of the account, transmitting the protected data to a third party (bank or payment processor)
35 USC § 103
In response to Applicant’s argument for claim rejections under 35 USC § 103, Applicant argues that the prior art references Yu (US 2017/0352034 A1) and Bu (US 2015/0088736A1) do not disclose “transmitting a token request message including an interaction identifier, a business entity identifier, and a request token to the user computing device, receiving a response token generated by a user application, performing a lookup for a protected data object associated with a selected user account identified by the response token, and completing the computer interaction by transmitting the protected data object to another computing device different from the user computing device and the business entity computing device, without transmitting the protected data object to the business entity computing device”.
Examiner respectfully disagrees as Yu does indeed disclose in paragraph 0021 that once the payment network 130, which is being considered as the EDP computing device, receives the token, it starts processing the transaction by  generating a transaction record that corresponds to the transaction and includes information associated with the transaction such as “an identifier of a transaction, a name or
identifier of a user 101 involved in the transaction, a date or time ( e . g . , a timestamp ) of the transaction, a location of a mobile device, an amount of the transaction, a description of a good or service received in the transaction, a name , identifier , website , or location of a merchant that provided the received good or service, a name or identifier of mobile - payment provider 120, a name or identifier of the payment network 130 involved in the transaction, or information associated with a payment card associated with the transaction ( e.g., a cardholder name , a card number , or the last four digits of the card number)”. Paragraph 0021 of Yu describes what is included in a transaction record and paragraphs 0028, 0031 and 0032 presents a list of transaction records to a user. Paragraph 0029 of Yu describes the user selects records in which the transaction records to be verified are selected from a list of displayed transaction records. Paragraphs 0030-0032, 0034, 0039, and 0040 describe performing a look-up by verifying the transaction record is valid by the payment application by contacting mobile payment provider. Now prior art Bu discloses how a payment can be made using an electronic wallet by first transmitting the payment related information to the electronic wallet server and search for information about payment means available at the member shop and information about payment means available by the user. The electronic wallet server is capable of generating payment related information such as discount information, coupon information with reference to the found information about payment means available at the member shop and the found information about payment means available by the user. Examiner would like to clarify that Bu was utilized to specficially disclose “transmit the payment related information to the user terminal 100 of the user” in which the user terminal can display the payment related information received from the electronic wallet server on a screen. Now when the user selects payment means, the user terminal can request the electronic wallet server to make the payment
by the selected payment means. Therefore, Examiner believes that the combination of references Yu and Bu is sufficient to disclose the pending limitations as how they are currently written.




Claim Rejections - 35 USC § 101


      35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


  Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
In the instant case, claims 1-7 are directed to a system, claims 8-13 are directed to a method and claims 14-20 are directed to a non-transitory computer readable-medium. Therefore, these claims fall within the four statutory categories of invention. 
The claims recite requesting a traveler’s credit card or check. Specifically, the claim recites “receive interaction data from the business entity… transmitted by the user to the business entity, generate, using at least in part the user identifier, a token request message including the interaction identifier, the business entity identifier, and a request token, transmit the token request message to the user to select the one or more accounts, receive a token response message including a response token…the response token identifying the selected user account, perform a lookup using the selected user account, for a  protected data object associated with the first account and complete the interaction by transmitting the protected data object to a “third party” from the user and  business entity without transmitting the protected data object to the business entity”  which is grouped within the “certain methods of organizing human activity” grouping of abstract ideas, specifically under “fundamental economic principles or practices” mitigating risk to the consumer (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 54 (January 7, 2019)) because – for example, in this case, the claims involve a series of steps for generating and transmitting a token request to the user, selecting and looking up the account and eventually completing the transaction by transmitting the protected data object to a third party such as a bank or payment processor. Accordingly, the claim recites an abstract idea (See pages 7, 10, Alice Corporation Pty. Ltd. v. CLS Bank International, et al. US Supreme Court, No. 13-298, June 19, 2014).
This judicial exception is not integrated into a practical application because the additional elements of the claims such as the use of “a non-transitory computer readable medium that includes computer executable instructions for protecting sensitive data of a user during a computer interaction between the user and a business entity computing device associated with a business entity is provided that when executed by an EDP computing device including a processor and a memory device, the computer executable instructions cause the EDP computing device” (See ¶0006 PGPUB Specification) carry out the limitations of Claim 1 such as “generating and transmitting a token request to the user, user receiving the token request and selecting an account, receiving the token response and performing a lookup of the account, transmitting the protected data to a third party (bank or payment processor)” merely use a computer as a tool to perform an abstract idea and/or generally link the use of a judicial exception to a particular technological environment (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 54-55 (January 7, 2019)).  [The use of a EDP computing device, business entity computing device and user computing device as tools to implement the abstract idea and/or generally linking the use of the abstract idea to a particular technological environment] does not render the claim patent eligible because it requires no more than a computer performing functions that correspond to acts required to carry out the abstract idea. Specifically, an EDP computing device, business entity computing device and user computing device perform the steps or functions of “receive interaction data from the business entity… transmitted by the user to the business entity, generate, using at least in part the user identifier, a token request message including the interaction identifier, the business entity identifier, and a request token, transmit the token request message to the user to select the one or more accounts, receive a token response message including a response token…the response token identifying the selected user account, perform a lookup using the selected user account, for a  protected data object associated with the first account and complete the interaction by transmitting the protected data object to a “third party” from the user and  business entity without transmitting the protected data object to the business entity”. The additional claim elements are not indicative of integration into a practical application, because the claims do not involve Improvements to the functioning of a computer, or to any other technology or technical field (MPEP 2106.05(a)), the claims do not apply the abstract idea with, or by use of, a particular machine (MPEP 2106.05(b)), the claims do not effect a transformation or reduction of a particular article to a different state or thing (MPEP 2106.05(c)), and the claims do not apply or use the abstract idea in some other meaningful way beyond generally linking the use of the abstract idea to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception (MPEP 2106.05(e) and Vanda Memo). Therefore, the claims do not, for example, purport to improve the functioning of a computer. Nor do they effect an improvement in any other technology or technical field. Accordingly, the additional elements do not impose any meaningful limits on practicing the abstract idea, and the claims are directed to an abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, as discussed above with respect to integration of the abstract idea into a practical application, the additional element(s) of using a “generating and transmitting a token request to the user, user receiving the token request and selecting an account, receiving the token response and performing a lookup of the account, transmitting the protected data to a third party (bank or payment processor)”  to perform the steps amounts to no more than using the EDP computing device, business entity computing device and user computing device to automate and/or implement the abstract idea of requesting a traveler’s credit card or check. The use of an EDP computing device, business entity computing device and user computing device to merely automate and/or implement the abstract idea cannot provide significantly more than the abstract idea itself. Therefore, the claim is not patent eligible.



Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all 
obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 5-6, 8, 12-14 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Bu et al. (US 2015/0088736A1) in view of Yu  (US 2017/0352034 A1) 
Regarding Claim 1, Bu discloses: An electronic data protection (EDP) computing device for protecting sensitive data of a user during a computer interaction between a user computing device associated with the user and a business entity computing device associated with a business entity, the EDP computing device in communication with the user computing device and the business entity computing device, the EDP computing device comprising at least one processor communicatively coupled to a memory device comprising a non-transitory computer readable medium including computer-executable instructions, wherein when executed by the at least one processor, the computer-executable instructions cause the at least one processor to: 
receive interaction data for the computer interaction from the business entity computing device, the interaction data including an interaction identifier, a business entity identifier, and a user identifier, the user identifier associated with the user, the user identifier corresponding to an unprotected data object including non-sensitive sharable information associated with the user (Fig. 7 (706); ¶0109, ¶0110)
generate, using at least in part the user identifier, a token request message including [the interaction identifier], the business entity identifier, and a [request token] (Fig. 7 (712); ¶0110)
transmit the token request message to the user computing device, wherein the request token is processed by a user application on the user computing device, wherein the user application prompts a first message to the user requesting the user to select one of one or more user accounts (Fig. 7 (714); ¶0110, ¶0111)
receive, from the user computing device, a token response message including a response token generated by the user application, the response token identifying the selected user account (¶0111, ¶0118, ¶0119)
in response to receiving the token response message, perform a lookup in the memory device, using the selected user account, for a protected data object; associated with the first user account, the protected data object including sensitive information associated with the user and the first user account (¶0111, ¶0118, ¶0119)
complete the computer interaction by transmitting the protected data object to another computing device different from the user computing device and the business entity computing device, without transmitting the protected data object to the business entity computing device (¶0112, ¶0113)
Bu does not disclose a token request message including the interaction identifier,…, and a request token.
Yu however discloses a token request message including the interaction identifier,…, and a request token (¶0021, ¶0028, ¶0031, ¶0032)
Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention to modify the system/method/medium of Bu to include a token request message including the interaction identifier, …, and a request token, as disclosed in Yu, in order to provide a method for to verify a client - side transaction record identifying a transaction involving a user of the client device (see Yu abstract).
Regarding Claims 5, 12 and 18, Yu discloses wherein the computer interaction is associated with an electronic payment transaction (¶0019-¶0021).
Regarding Claims 6, 13 and 19, Yu discloses wherein the other computing device includes at least one bank computing device, and wherein the computer- executable instructions further cause the at least one processor to: in response to transmitting the protected data object, receive an authorization response from the at least one bank computing device (¶0015-¶0018).
Claims 3, 10 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Bu  in view of Yu in further view of Hippeläinen (US 6,516,996 B1)
Regarding Claims 3, 10 and 16, while Yu discloses the interaction identifier.
The combination of Bu in view of Yu does not disclose the interaction identifier is generated by the business entity computing device in response to the user transmitting the user identifier to the business entity computing device.
Hippeläinen however discloses the interaction identifier is generated by the business entity computing device in response to the user transmitting the user identifier to the business entity computing device (Col. 3 lines 29-52, Col. 7 lines 40-51, Col. 9 lines 28-43).
Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention to modify the system/method/medium of Bu  in view of Yu to include the interaction identifier is generated by the business entity computing device in response to the user transmitting the user identifier to the business entity computing device, as disclosed in Hippeläinen, in order to provide an electronic payment System can provide undeniably certified receipts of transactions and transfer them to further processing, with maintaining the level of certification (see Hippeläinen Col. 2 lines 55-59).
Claims 4, 11 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Bu  in view of Yu in further view of LI et al. (US 2015/0142658 A1)
Regarding Claims 4, 11 and 17, the combination of Bu  in view of Yu does not disclose wherein the token request message includes an expiration time window, wherein the expiration time window represents an amount of time that the EDP computing device monitors to receive the token response message, and wherein the user application on the user computing device prompts a third message to the user, the third message requesting the user to provide the token response message within the expiration time window.
LI however discloses wherein the token request message includes an expiration time window, wherein the expiration time window represents an amount of time that the EDP computing device monitors to receive the token response message, and wherein the user application on the user computing device prompts a third message to the user, the third message requesting the user to provide the token response message within the expiration time window (¶0046).
Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention to modify the system/method/medium of Bu  in view of Yu to include wherein the token request message includes an expiration time window, wherein the expiration time window represents an amount of time that the EDP computing device monitors to receive the token response message, and wherein the user application on the user computing device prompts a third message to the user, the third message requesting the user to provide the token response message within the expiration time window, as disclosed in LI, in order to provide a method for managing multiple payment-bound terminals at a computer server (see LI ¶0005).
Claims 7 and 20  are rejected under 35 U.S.C. 103 as being unpatentable over Bu  in view of Yu in further view of Walker et al. (6,163,771)
Regarding Claims 7 and 20, while Yu discloses encrypting the unique key identifier (¶0021).
The combination of Bu  in view of Yu however does not disclose generate a unique key identifier using at least one of: i) a random number, ii) the interaction identifier, and iii) the business entity identifier.
Walker however discloses generate the unique key identifier using at least one of: i) a random number, ii) the interaction identifier, and iii) the business entity identifier (Col. 6 lines 60-66, Col. 7 lines 55-59, Col. 8-14).
Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention to modify the system/method/medium of Lu and Bu to include generate a unique key identifier using at least one of: i) a random number, ii) the interaction identifier, and iii) the business entity identifier, as disclosed in Walker, in order to facilitate secure electronic commerce, secure remote credit card purchases, and secure conventional credit card purchases (see Walker Col 3. lines 59-63).

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZEHRA RAZA whose telephone number is (571)272-8128. The examiner can normally be reached 10AM-6:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John W Hayes can be reached on (571) 272-6708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZEHRA RAZA/Examiner, Art Unit 3685     

/JOHN W HAYES/Supervisory Patent Examiner, Art Unit 3685