DETAILED ACTION
Acknowledgements
This Office Action is in reply to Applicant’s original application filed 02 June 2020.  
Claims 1–20 are currently pending and have been examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The Information Disclosure Statements filed 21 December 2020 and 05 January 2021 have been considered. Initialed copies of the Form 1449 are enclosed herewith.
Claim Rejections - 35 U.S.C. § 103
The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1–3, 5–11, 13–17, and 19–20 are rejected under 35 U.S.C. § 103 as being unpatentable over Donaldson et al. (US 2019/0116037 A1) (“Donaldson”), in view of Bidgoli (Document U cited on attached PTO-892), and alternatively in view of Lisbakken (US 2012/0016749 A1).
As per claim 1, Donaldson discloses a computer-implemented method for securely collecting data via a third-party webpage, comprising:

digitally signing, with at least one processor, the configuration data 
transmitting, with at least one processor, the configuration data to the first system, the configuration data comprising code configured to facilitate the first system to embed [a frame] 
verifying, with at least one processor, the configuration data 
receiving, from [the frame]
Donaldson does not expressly disclose that the “digitally signing” step is “based on a private key of a second key pair, and that the corresponding “verifying” step is “based on a public key of the second key pair.”
Bidgoli teaches digitally signing, with at least one processor, data based on a private key of a second key pair (p. 527, § Creating the Digital Signature); and verifying, with at least one processor, the data based on a public key of the second key pair
Therefore, it would have been obvious to a person having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify signing of Donaldson, which appears to use only a hash of the data, to include use of a private key, as taught by Bidgoli, and to modify verifying of Donaldson to include use of a corresponding public key, also taught by Bidgoli. One would have been motivated to do so because use of private/public key pair in signature proves identity of sender to recipient.
Furthermore, Donaldson does not expressly disclose “transmitting … code configured to facilitate the first system to embed a plurality of frames in a webpage, wherein the plurality of frames loads content from a domain that is independent from a domain that hosts the webpage” and that the receiving of encrypted data is “from a master frame of the plurality of frames,” as claimed.
Primarily, it is the Examiner’s position that the configuration of the “code,” i.e., “to facilitate the first system to embed a plurality of frames in a webpage, wherein …,” does not affect the “transmitting” step in a manipulative sense, and is therefore not given patentable weight. Likewise, it is the Examiner’s primary position that the term “master frame of the plurality of frames” does not affect the “receiving” step in a manipulative sense, and is therefore also not given patentable weight. However, in the interest of compact prosecution, the language not afforded patentable weight is addressed in the following paragraphs.
Alternatively, Lisbakken teaches transmitting, with at least one processor, [a] configuration data to [a] first system, the configuration data comprising code configured to facilitate the first system to embed a plurality of frames in a webpage, wherein the plurality of frames loads content from a domain that is independent from a domain that hosts the webpage (at least [0012]; [0039] [0044]–[0045]). Lisbakken further teaches that one of the frames is a master frame (“primary iFrame”) in communication with a server ([0042] [0052] [0059]).
Therefore, it would have been obvious to a person having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Donaldson to include configuration data of a plurality of frames including a master frame, as taught by Lisbakken. One would have been motivated to do so because such configurations allows for the content, from the domain that is independent from the domain that hosts the webpage, to include multiple content instances in separate iFrames (e.g., separate fields for entry of data, as discussed by Donaldson in [0036]).

As per claim 2, Donaldson, Bidgoli, and Lisbakken teach the computer-implemented method of claim 1, further comprising: decrypting, with at least one processor, the encrypted data based on a private key of the first key pair, resulting in the user data; transmitting, with at least one processor, the user data to a token management system; receiving, from the token management system, a transient token generated based on the user data; and transmitting, with at least one processor, the transient token to at least one frame of the plurality of frames (Donaldson, [0037], fig. 4, steps 242, 244, 246).
As per claim 3, Donaldson, Bidgoli, and Lisbakken teach the computer-implemented method of claim 2, wherein the first system is a merchant system, further comprising: passing the transient token from the at least one frame to the merchant system; receiving, from the merchant system, a transaction request comprising the transient token; obtaining, from the token management system, the user data; and generating an authorization request based on the user data (Donaldson, at least [0038]).
As per claim 5, Donaldson, Bidgoli, and Lisbakken teach the computer-implemented method of claim 1, wherein the public key of the second key pair is embedded in a library file for a client-side script (note: “wherein” clause does not recite an additional method step and does not affect a positively recited method step of claim 1, and is therefore not given patentable weight).
note: term “payment gateway” does not affect the method steps of claim one in a manipulative sense, and is therefore not given patentable weight).
As per claim 7, Donaldson, Bidgoli, and Lisbakken teach the computer-implemented method of claim 2, further comprising: digitally signing, with at least one processor, the transient token based on the private key of the first key pair (note: although Donaldson does not expressly disclose digitally signing the transient token, for reasons similar to those discussed above regarding “digitally signing” of claim 1, it would be obvious to modify Donaldson to sign the transient token with the private key of the first key pair).
Claims 8–11, 13–17, and 19–20 contain language similar to claims 1–3 and 5–7 as discussed in the preceding paragraphs, and for reasons similar to those discussed above, claims 8–11, 13–17, and 19–20 are also rejected under 35 U.S.C. § 103 as unpatentable over the cited references.
Claims 4, 12, and 18 are rejected under 35 U.S.C. § 103 as being unpatentable over Donaldson, Bidgoli, and Lisbakken, in view of Briden et al. (GB 2544998 A) (“Briden”).
As per claim 4, Donaldson, Bidgoli, and Lisbakken teach the computer-implemented method of claim 3, but do not expressly teach wherein the user data is temporarily stored in memory by the token management system, the method further comprising: deleting the user data after authorization based on the authorization request.

Therefore, it would have been obvious to a person having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify token system of Donaldson to delete the user data after authorization, as taught by Briden. One would have been motivated to do so in order to protect the user data from unnecessary exposure.
Claims 12 and 18 contain language similar to claim 4 as discussed in the preceding paragraphs, and for reasons similar to those discussed above, claims 12 and 18 are also rejected under 35 U.S.C. § 103 as unpatentable over the cited references.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB C. COPPOLA whose telephone number is (571)270-3922. The examiner can normally be reached Monday-Friday 8:00-6:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patrick McAtee can be reached on (571) 272-7575. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about 
/JACOB C. COPPOLA/Primary Examiner, Art Unit 3685