DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
•	Claims 1-20 are currently pending and have been examined. 
•	This action is made Non-FINAL.
•	The Examiner would like to note that this application is now being handled by Examiner Raven Zeer.

Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description:
Reference character 304 of FIG. 3.  
Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-8 and 18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1 and 16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential elements, such omission amounting to a gap between the elements.  See MPEP § 2172.01.  The omitted elements are: establishing the secure webpage. 
Claim 9 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential steps, such omission amounting to a gap between the steps.  See MPEP § 2172.01.  The omitted steps are: establishing the secure webpage.
Furthermore regarding claim 1, claim 1 recites “a second secure communication connection,” at lines 10-11 of the claim.  This limitation is confusing because there is no 
Regarding claim 18, claim 18 recites the limitation "the hash server" in line 6.  There is insufficient antecedent basis for this limitation in the claim.
Claims 2-8, 10-15, 17, and 19-20 are rejected due to their dependency to a rejected claim.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention recites an abstract idea without significantly more. Independent claims 1, 9, and 16 are directed to an apparatus (claims 1 and 16) and a method (claim 9).  Therefore, on its face, each independent claim 1, 9, and 16 are directed to a statutory category of invention under Step 1 of the 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50 (Jan. 7, 2019) (“2019 PEG”).
Under Step 2A, Prong One of the 2019 PEG, claims 1, 9, and 16 recite, in part, an apparatus and a method of organizing human activity.  Claim 1 recites receive order context data associated with a merchant transaction; receive payment data associated with the merchant transaction; transmit the payment data, to process the payment data; and transmit a payment message indicating whether the payment data was processed.
Claim 9 recites receiving order context data associated with a merchant transaction at a client workstation; receiving encrypted payment data associated with the merchant transaction; transmitting the encrypted payment data; and receiving a processing message indicating whether the payment data was processed.
Claim 16 recites receive a first message associated with a merchant transaction at a merchant website; and receive a second message indicating a processing status of the merchant transaction.
The limitations, as drafted, is a process that, under its broadest reasonable interpretation, covers commercial and legal interactions (certain methods of organizing human activity), but for the recitation of generic computer components.  The claims as a whole recite a method of organizing human activity.  The claimed inventions allows for using a payment service to process merchant transactions, which is a commercial and legal interaction, specifically a commercial interaction of sales activities or behaviors.  The mere nominal recitation of a one or more processors; memory coupled to the one or more processors, the memory including one or more modules that are executable by the one or more processors do not take the claim out of the methods of organizing human activity grouping. Thus, the claims recite an abstract idea.
Under Step 2A, Prong Two of the 2019 PEG, the judicial exception is not integrated into a practical application. In particular, the claims only recite the additional elements— a secure webpage that overlays a presentation of a merchant webpage on the client workstation. The overlaying function is recited at a high level of generality (i.e., as a general means of overlaying a presentation of a webpage), and amounts to adding insignificant extra-solution activity to the judicial exception–see MPEP 2106.05(g).
Furthermore, the additional elements of claims 1 and 9 include a security assurance webserver comprising: one or more processors; memory coupled to the one or more processors, the memory including one or more modules that are executable by the one or more processors; 
 Accordingly, the combination of the additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.  The claims are directed to an abstract idea.
Under Step 2B of the 2019 PEG, the claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements in the claims amount to no more than generally linking the use of the judicial exception to a particular technological environment or field of use (see MPEP 2106.05(h)).  Generally 
Furthermore, under Step 2B of the 2019 PEG, the additional elements found to be insignificant extra-solution activities under Step 2A Prong Two, are re-evaluated to determine if the elements are more than what is well-understood, routine and conventional activity in the field.  Here, the Specification does not provide any indication that a secure webpage that overlays a presentation of a merchant webpage on the client workstation is anything other than generic computer components and functions.  These additional elements were well-understood, routine, and conventional before the effective filing date.  US 2012/0259782 (“Hammad”) teaches a pop-up window provided from the merchant website and/or the electronic wallet server (see Hammad at least at [0200]).  US 11,080,700 (“Ortiz”) teaches a GUI in the form of an interactive overlay screen (see Ortiz at col. 39, lines 55-65.).  US 20040117302 A1 (“Weichert”) discloses the checkout screen is typically in a window that overlays the window associated with the merchant (see Weichert at least at [0074]).  Accordingly, a conclusion that overlaying limitations are well understood, routine, and conventional activities is supported under Berkheimer Option 3.  The claims are not patent eligible.
The dependent claims have been given the full two part analysis including analyzing the additional limitations both individually and in combination.  The dependent claim(s) when analyzed both individually and in combination are also held to be patent ineligible under 35 U.S.C. 101 because for the same reasoning as above and the additional recited limitation(s) fail(s) to establish that the claim(s) is/are not directed to an abstract idea.  Dependent claims 3-6, 10, 12-14, 18, and 20 simply further describes the technological environment.  Dependent claims 2, 7-8, 11, 15, 17, and 19 simply help to define the abstract idea.  The additional limitations of 
Viewing the claim limitations as an ordered combination does not add anything further than looking at the claim limitations individually.  When viewed either individually, or as an ordered combination, the additional limitations do not amount to a claim as a whole that is significantly more than the abstract idea. Accordingly, claim(s) 1-20 is/are ineligible.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-3, 6-11, 14-17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over US 20170270515 A1 (“McCullagh”) in view of US 20170357957 A1 (“Mehta”), and in further view of US 20160125397 A1 (“Strydom”).
Regarding claim 1, McCullagh discloses a security assurance webserver comprising: one or more processors; memory coupled to the one or more processors, the memory including one or more modules that are executable by the one or more processors to (The service provider may be a third party other than the consumer and merchant, that provides services in support of electronic transactions.  See at least [0039].  Merchant Service Provider may be a server.  See at least [0079]-[0080].  See also [0009] and [0084]-[0085].  See also claim 1 disclosing “a merchant service provider server computer.”): 
receive, from an enterprise server, order context data associated with a merchant transaction at a client workstation (The consumer interacting with webpage on user device presses the “checkout” button on the merchant page, and the merchant server sends the order information to the HOP services provider of the service provider.  See at least [0046].  See also FIG. 3, checkout button 318 on “www.merchant.com.” The Examiner interprets the user device as a client workstation.  The Examiner also interprets the merchant server as the enterprise server.); 
determine whether to establish, at the client workstation, a webpage that redirects from a presentation of a merchant webpage on the client workstation, the webpage to receive payment data associated with the merchant transaction (The “Checkout” button may include a URL that redirects the user device to a location at the HOP services provider.  See at ; 
in response to establishing the webpage, transmit, via a second communication connection, the payment data to an application service, the application service to store the payment data (The consumer, via the user device, inputs the payment information. For example, the consumer inputs his or her credit card information into input fields and his or her billing address information into input fields and then presses the “Purchase” button.  The payment information is transmitted via SSL pipe from the user device to the HOP services provider.  The HOP services provider forwards the payment information received from the consumer as well as the order information received from the merchant to the transaction services via link.  See at least [0047]-[0049].  HOP services provider is part of the merchant service provider.  See at least [0037].  The transaction services creates an account/profile for the user in the user profile data and stores in the newly created account/profile the payment information and the billing information that the consumer inputted into input fields of the hosted payment page.  See at least [0050].  The entities are communicatively connected.  See at least [0037].); and 
transmit via the webpage, a message (Payments page transmitting messages for display on the merchant service provider webpage, such as a summary of the order information.  See at least [0047].  See also FIG. 4, displaying messages on “www.merchantserviceprovider.com.”).

While McCullagh discloses a webpage, McCullagh does not expressly disclose the webpage is a secure webpage.  Furthermore, while McCullagh discloses a webpage that redirects from a presentation of a merchant webpage, McCullagh does not expressly disclose the webpage overlays a presentation of a merchant webpage.  Furthermore, while McCullagh secure communication connection.  Furthermore, while McCullagh discloses an application service, McCullagh does not expressly disclose the application service is an application server.  Furthermore, while McCullagh discloses the application service storing payment data, McCullagh does not expressly disclose the application server to process the payment data.  Furthermore, while McCullagh discloses transmit via the webpage a message, McCullagh does not expressly disclose transmitting a payment message indicating the payment data was processed.

However, Mehta discloses the webpage is a secure webpage (Payment Gateway Component sending a secure webpage to the user interface of the user device.  See at least [0037] and [0020].  See also FIG. 1(a), step 9.  See also FIG. 1(b), step 10.); 
the webpage overlays a presentation of a merchant webpage (Overlaying the merchant web page with another web page.  See at least [0069].  See also FIG. 3(b), web page 302 overlaid on merchant web page 300.); 
the application service is an application server (The payment gateway component communicates with the payment-processing infrastructure for checking whether a second level authentication is required and the network address or uniform resource locator (URL) of the authentication entity, such as an access control server, that will be performing the second level authentication.  See at least [0035]. In the second web page, the URL/web page of the server that will be performing the second level authentication is opened and presented to the user through the user interface.  See at least [0037].  See at least [0053], disclosing the user device, the 
the application server to process the payment data (The Payment Gateway Component in communication with the Payment Processing Infrastructure to process payment data.  See at least [0047]-[0049].); and 
transmitting a payment message indicating the payment data was processed (In case of transaction success, the transaction success message is received by the payment gateway component, which can cause the second web page to close and then pass the transaction success message to the merchant front-end component through the merchant back-end component.  The merchant front-end component can display the transaction success message through the user interface. As discussed earlier, the transaction success message may be displayed on the first web page or on a different web page.  See at least [0049].  See also FIG. 1(a), steps 13-17 and FIG. 1(b), steps 16-20.).
From the teaching of Mehta, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the webpage of McCullagh to be a secure webpage, as taught by Mehta, and to modify the displaying of the webpage of McCullagh to display the webpage by overlaying, using the overlaying technique taught by Mehta, and to modify the application service of McCullagh to be a server that processes the payment data, as taught by Mehta, and to modify the transmitting of a message of McCullagh to transmit a payment message indicating the payment data was processed, as taught by Mehta, in order to making the transaction more secure and eliminating the need for the merchant back-end component to implement complex PCI certified technology (see Mehta at least at [0019]), and in 

While McCullagh discloses a second communication connection, McCullagh does not expressly disclose the second communication connection is a second secure communication connection.

However, Strydom discloses the second communication connection is a second secure communication connection (The payment service provider functions as a gateway for routing payment information to and from one of a number of acquiring banks with which the payment service provider has a secure connection. When processing a payment transaction on behalf of the merchant server, the payment service provider selects the correct acquiring bank of the merchant with which to transact. The acquiring bank, in turn, communicates through a payment processing network, such as Visa's VisaNet® or MasterCard's Banknet®, with an issuing bank that issued cardholder data to an applicable consumer.  See at least [0083].).
From the teaching of Strydom, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the second communication connection of McCullagh to be a secure communication channel, as taught by Strydom, in order to offer increased convenience to consumers and to merchants (see Strydom at least at [0002]-[0008]).

Regarding claim 2, the combination of McCullagh, Mehta, and Strydom discloses the limitations of claim 1, as discussed above, and McCullagh further discloses the order context data includes at least purchase data associated with the merchant transaction (“Order 

While McCullagh discloses order context data, McCullagh does not expressly disclose order context data include at least a merchant identifier.

However, Strydrom discloses order context data include at least a merchant identifier (Data related to a transaction by a consumer on a user device includes merchant identifier.  See at least [0096]-[0099].).
From the teaching of Strydom, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the context data of McCullagh to include a merchant identifier, as taught by Strydom, in order to offer increased convenience to consumers and to merchants (see Strydom at least at [0002]-[0008]).

Regarding claim 3, the combination of McCullagh, Mehta, and Strydom discloses the limitations of claim 1, as discussed above, and McCullagh further discloses generate a webpage configuration data for delivery to the client workstation via the enterprise server, the webpage configuration data to initiate a communication connection between the client workstation and the security assurance webserver, and wherein, to establish the webpage is based at least in part on delivery of the webpage configuration data to the client workstation (The consumer interacting with webpage on user device presses the “checkout” button on the merchant page, and the merchant server sends the order information to the HOP services provider of the service provider.  The “Checkout” button may include a URL that redirects the user device to a location at the HOP services provider.  See at least [0046].  See also [0047] and FIG. 4, inputs fields 418 to enter payment information on www.merchantserviceprovider.com.  The entities are communicatively connected.  See at least [0037].  The Examiner interprets the URL to the service provider (e.g., www.merchantserviceprovider.com) as the webpage configuration data.  The Examiner also interprets the user accessing the service provider website as a communication connection.).

While McCullagh discloses a webpage configuration data, McCullagh does not expressly disclose secure webpage configuration data.  Furthermore, while McCullagh discloses initiating a communication connection, McCullagh does not expressly disclose the communication connection is a secure communication connection.  Furthermore, while McCullagh discloses a webpage, McCullagh does not expressly disclose a secure webpage.

However, Strydom discloses a secure webpage configuration data; the communication connection is a secure communication connection; a secure webpage (Encrypted communication channel such as Hypertext Transfer Protocol Secure (HTTPS), Transport Layer Security/Secure Sockets Layer (TLS/SSL) or other secure channel.  See at least [0081].).
From the teaching of Strydom, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the webpage of McCullagh to be a secure webpage, as taught by Strydom, and to modify the communication connection of McCullagh to 

Regarding claim 6, the combination of McCullagh, Mehta, and Strydom discloses the limitations of claim 1, as discussed above, and McCullagh further discloses receive, from the client workstation, a request to initiate a communication connection with the client workstation, and wherein to establish the webpage at the client workstation, based at least in part on the request (The consumer interacting with webpage on user device presses the “checkout” button on the merchant page.  The “Checkout” button may include a URL that redirects the user device to a location at the HOP services provider.  See at least [0046].  See also [0047] and FIG. 4, inputs fields 418 to enter payment information on www.merchantserviceprovider.com.  The entities are communicatively connected.  See at least [0037].).

While McCullagh discloses a communication connection with the client workstation, McCullagh does not expressly disclose the communication connection is a secure communication connection.  Furthermore, while McCullagh discloses establishing a webpage, McCullagh does not expressly disclose the webpage is a secure webpage.

However, Mehta discloses the communication connection is a secure communication connection (Payment Gateway Component sending a secure webpage to the user interface of the user device.  See at least [0037] and [0020].  See also FIG. 1(a), step 9.  See also FIG. 1(b), step 10.  See also [0033]. Payment details received from the user interface and provided to the  
the webpage is a secure webpage (Payment Gateway Component sending a secure webpage to the user interface of the user device.  See at least [0037] and [0020].  See also FIG. 1(a), step 9.  See also FIG. 1(b), step 10.).
From the teaching of Mehta, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the connection of McCullagh to be a secure connection, as taught by Mehta, and to modify the webpage of McCullagh to be a secure webpage, as taught by Mehta, in order to making the transaction more secure and eliminating the need for the merchant back-end component to implement complex PCI certified technology (see Mehta at least at [0019]), and in order to ensure security of transactions (see Mehta at least at [0047]), and in order to provide efficient utilization of computational resources (see Mehta at least at [0082]).

Regarding claim 7, the combination of McCullagh, Mehta, and Strydom discloses the limitations of claim 1, as discussed above, and McCullagh further discloses receive the payment data via the webpage, the payment data to include a personal account number and sensitive account data (Payments page transmitting messages for display on the merchant service 

While McCullagh discloses a webpage, McCullagh does not expressly disclose the webpage is a secure webpage.

However, Mehta discloses the webpage is a secure webpage (Payment Gateway Component sending a secure webpage to the user interface of the user device.  See at least [0037] and [0020].  See also FIG. 1(a), step 9.  See also FIG. 1(b), step 10.).
From the teaching of Mehta, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the webpage of McCullagh to be a secure webpage, as taught by Mehta, in order to making the transaction more secure and eliminating the need for the merchant back-end component to implement complex PCI certified technology (see Mehta at least at [0019]), and in order to ensure security of transactions (see Mehta at least at [0047]), and in order to provide efficient utilization of computational resources (see Mehta at least at [0082]).

Regarding claim 8, the combination of McCullagh, Mehta, and Strydom discloses the limitations of claim 1, as discussed above, and McCullagh further discloses an application service (The consumer, via the user device, inputs the payment information. For example, the 

While McCullagh discloses an application server, McCullagh does not expressly disclose the application service is an application server.  Furthermore, McCullagh does not expressly disclose receive, from the application server, a processing message indicating whether the payment data was processed, and wherein, to transmit the payment message via the secure webpage is based at least in part on the processing message.

However, Mehta discloses the application service is an application server (The payment gateway component communicates with the payment-processing infrastructure for checking whether a second level authentication is required and the network address or uniform resource locator (URL) of the authentication entity, such as an access control server, that will be performing the second level authentication.  See at least [0035]. In the second web page, the URL/web page of the server that will be performing the second level authentication is opened and presented to the user through the user interface.  See at least [0037].  See at least [0053], 
From the teaching of Mehta, it would have been obvious to one having ordinary skill in the art before the effective filing date t to modify the application service of McCullagh to be a server taught by Mehta, in order to making the transaction more secure and eliminating the need for the merchant back-end component to implement complex PCI certified technology (see Mehta at least at [0019]), and in order to ensure security of transactions (see Mehta at least at [0047]), and in order to provide efficient utilization of computational resources (see Mehta at least at [0082]).

McCullagh does not expressly disclose receive, from the application server, a processing message indicating whether the payment data was processed, and wherein, to transmit the payment message via the secure webpage is based at least in part on the processing message.

However, Strydom discloses receive, from the application server, a processing message indicating whether the payment data was processed (Authorization response message sent from the acquiring bank to the payment service provider.  See at least [0101] and FIG. 4, step 324.  The payment service provider functions as a gateway for routing payment information to and from one of a number of acquiring banks with which the payment service provider has a secure connection.  See at least [0083].), and 
wherein, to transmit the payment message via the secure webpage is based at least in part on the processing message (If, at a next stage, the transaction was approved as indicated 
From the teaching of Strydom, it would have been obvious to one having ordinary skill in the art before the effective filing date to McCullagh to receive, from the application server, a processing message indicating whether the payment data was processed wherein, to transmit the payment message via the secure webpage is based at least in part on the processing message be a secure communication channel, as taught by Strydom, in order to offer increased convenience to consumers and to merchants (see Strydom at least at [0002]-[0008]).

Regarding claim 9, a first embodiment of McCullagh discloses a computer-implemented method, comprising: under control of one or more processors (See at least FIG. 1 and see at least [0079]-[0080].  See also [0009] and [0084]-[0085].): 
receiving, at a security assurance webserver and from an enterprise server, order context data associated with a merchant transaction at a client workstation (The consumer interacting with webpage on user device presses the “checkout” button on the merchant page, and the merchant server sends the order information to the HOP services provider of the service provider.  See at least [0046].  See also FIG. 3, checkout button 318 on “www.merchant.com.” Merchant may be associated with a merchant server.  See at least [0015].  The service provider may be a third party other than the consumer and merchant, that provides services in support of electronic transactions.  See at least [0039].  Merchant Service Provider may be a server.  See at least [0079]-[0080].  The Examiner interprets the user device as a client workstation.  The Examiner also interprets the merchant server as the enterprise server.); 
generating, a first connection between the client workstation and the security assurance webserver; determining whether to establish, via the first connection, a secure webpage that redirects from a presentation of a merchant webpage on the client workstation (The “Checkout” button may include a URL that redirects the user device to a location at the HOP services provider.  See at least [0046].  See also [0047] and FIG. 4, inputs fields 418 to enter payment information on www.merchantserviceprovider.com.  The entities are communicatively connected.  See at least [0037].); 
receiving, via the secure webpage, payment data associated with the merchant transaction; transmitting, via a second connection, the payment data to an application service (The consumer, via the user device, inputs the payment information. For example, the consumer inputs his or her credit card information into input fields and his or her billing address information into input fields and then presses the “Purchase” button.  The payment information is transmitted via SSL pipe from the user device to the HOP services provider.  The HOP services provider forwards the payment information received from the consumer as well as the order information received from the merchant to the transaction services via link.  See at least [0047]-[0049].  HOP services provider is part of the merchant service provider.  See at least [0037].  The transaction services creates an account/profile for the user in the user profile data and stores in the newly created account/profile the payment information and the billing information that the consumer inputted into input fields of the hosted payment page.  See at least [0050].  The entities are communicatively connected.  See at least [0037].).

While the first embodiment of McCullagh discloses a first connection between the client workstation and the security assurance webserver, the first embodiment McCullagh does not secure connection.  Furthermore, while the first embodiment of McCullagh discloses redirecting from a presentation of a merchant page, the first embodiment of McCullagh does not expressly disclose a webpage that overlays a presentation of the merchant page.  Furthermore, while the first embodiment of McCullagh discloses payment data, the first embodiment of McCullagh does not expressly disclose the payment data is encrypted payment data.  Furthermore, while the first embodiment of McCullagh discloses a second connection, the first embodiment of McCullagh does not expressly disclose the second connection is a secure connection.  Furthermore, while the first embodiment of McCullagh discloses an application service, the first embodiment of McCullagh does not expressly disclose the application service is an application server.  Furthermore, the first embodiment of McCullagh does not expressly disclose receiving, via the second connection, a processing message indicating whether the payment data was processed.

However, Mehta discloses the first connection is a secure connection (Payment Gateway Component sending a secure webpage to the user interface of the user device.  See at least [0037] and [0020].  See also FIG. 1(a), step 9.  See also FIG. 1(b), step 10.  See also [0033]. Payment details received from the user interface and provided to the payment gateway are isolated from the merchant back-end component, thereby ensuring security of transaction.  The payment component can implement encryption and other security measures to comply with PCI standards and maintain data security.  See at least [0047].  The Examiner interprets the communication connection between the user interface and the payment gateway component that isolates the merchant back-end component so that the merchant backend component does not have access to 
a webpage that overlays a presentation of the merchant page (Overlaying the merchant web page with another web page.  See at least [0069].  See also FIG. 3(b), web page 302 overlaid on merchant web page 300.);
the application service is an application server (The payment gateway component communicates with the payment-processing infrastructure for checking whether a second level authentication is required and the network address or uniform resource locator (URL) of the authentication entity, such as an access control server, that will be performing the second level authentication.  See at least [0035]. In the second web page, the URL/web page of the server that will be performing the second level authentication is opened and presented to the user through the user interface.  See at least [0037].  See at least [0053], disclosing the user device, the merchant system, and the payment gateway system may all be implemented in a variety of computing systems, such as a server.).
From the teaching of Mehta, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the first connection of the first embodiment of McCullagh to be a secure connection, as taught by Mehta, and to modify the displaying of the webpage of the first embodiment of McCullagh to display the webpage by overlaying, using the overlaying technique taught by Mehta, and to modify the application service of the first embodiment of McCullagh to be a server that processes the payment data, as taught by Mehta, in order to making the transaction more secure and eliminating the need for the merchant back-end component to implement complex PCI certified technology (see Mehta at least at [0019]), and in 

While the first embodiment of McCullagh discloses payment data, the first embodiment of McCullagh does not expressly disclose the payment data is encrypted payment data.  Furthermore, while the first embodiment of McCullagh discloses a second connection, the first embodiment of McCullagh does not expressly disclose the second connection is a secure connection.  Furthermore, the first embodiment of McCullagh does not expressly disclose receiving, via the second connection, a processing message indicating whether the payment data was processed

However, a second embodiment of McCullagh discloses the payment data is encrypted (An authorization request message can include a request for authorization to conduct an electronic purchase transaction and data relevant to determining if the request should be granted as well as device identification information related to the mobile payment acceptance device, which the service provider validates against the list of approved mobile payment acceptance devices. For example, it may include one or more of an account holder's payment account number, currency code, sale amount, merchant transaction stamp, acceptor city, acceptor state/country, etc. An authorization request message may be protected using a secure encryption method (e.g., 128-bit SSL or equivalent) in order to prevent unauthorized access to account or transaction data.  See at least [0074].).
From the teaching of the second embodiment of McCullagh, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the payment data 

While the first embodiment of McCullagh discloses a second connection, the first embodiment of McCullagh does not expressly disclose the second connection is a secure connection.  Furthermore, the first embodiment of McCullagh does not expressly disclose receiving, via the second connection, a processing message indicating whether the payment data was processed.

However, Strydom discloses the second connection is a secure connection (The payment service provider functions as a gateway for routing payment information to and from one of a number of acquiring banks with which the payment service provider has a secure connection. When processing a payment transaction on behalf of the merchant server, the payment service provider selects the correct acquiring bank of the merchant with which to transact. The acquiring bank, in turn, communicates through a payment processing network, such as Visa's VisaNet® or MasterCard's Banknet®, with an issuing bank that issued cardholder data to an applicable consumer.  See at least [0083].);
receiving, via the second connection, a processing message indicating whether the payment data was processed (Authorization response message sent from the acquiring bank to the payment service provider.  See at least [0101] and FIG. 4, step 324.  The payment service provider functions as a gateway for routing payment information to and from one of a number of 
From the teaching of Strydom, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the second communication connection of the first embodiment of McCullagh to be a secure communication channel, as taught by Strydom, and to modify the first embodiment of McCullagh to receiving, via the second connection, a processing message indicating whether the payment data was processed, as taught by Strydom, in order to offer increased convenience to consumers and to merchants (see Strydom at least at [0002]-[0008]).

Regarding claim 10, the combination of McCullagh, Mehta, and Strydom disclose the limitations of claim 9, as discussed above, and McCullagh further discloses generating a webpage configuration data for delivery to the client workstation via the enterprise webserver, the webpage configuration data to initiate a communication connection between the client workstation and the security assurance webserver, and wherein, establishing the webpage is based at least in part on delivery of the secure webpage configuration data to the client workstation (The consumer interacting with webpage on user device presses the “checkout” button on the merchant page, and the merchant server sends the order information to the HOP services provider of the service provider.  The “Checkout” button may include a URL that redirects the user device to a location at the HOP services provider.  See at least [0046].  See also [0047] and FIG. 4, inputs fields 418 to enter payment information on www.merchantserviceprovider.com.  The entities are communicatively connected.  See at least [0037].  The Examiner interprets the URL to the service provider (e.g., 

While McCullagh discloses a webpage configuration data, McCullagh does not expressly disclose secure webpage configuration data.  Furthermore, while McCullagh discloses initiating a communication connection, McCullagh does not expressly disclose the communication connection is a secure communication connection.  Furthermore, while McCullagh discloses a webpage, McCullagh does not expressly disclose a secure webpage.

However, Strydom discloses a secure webpage configuration data; the communication connection is a secure communication connection; a secure webpage (Encrypted communication channel such as Hypertext Transfer Protocol Secure (HTTPS), Transport Layer Security/Secure Sockets Layer (TLS/SSL) or other secure channel.  See at least [0081].).
From the teaching of Strydom, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the webpage of McCullagh to be a secure webpage, as taught by Strydom, and to modify the communication connection of McCullagh to be secure, using the encrypted communication channels taught by Strydom, in order to offer increased convenience to consumers and to merchants (see Strydom at least at [0002]-[0008]).

Regarding claim 11, the combination of McCullagh, Mehta, and Strydom disclose the limitations of claim 10, as discussed above, and McCullagh further discloses analyzing the order context data to identify at least a merchant service provider identifier associated with the merchant transaction, and wherein generating the secure webpage configuration data is based at least in part on the merchant service provider identifier (The merchant creates a one-way hash of the order.  See at least [0044].  The one-way hash is used for data verification.  See at least [0046]-[0047].  The HOP services provider verifies the one-way hash provided by the merchant by applying its own copy of the hashing script to the order information to generate its own one-way hash of the order information and then comparing the hash it generates to the hash provided by the merchant. If the one-way hash is verified and thereby confirms that the order information was not tampered with during transmission from the merchant, then the HOP services provider provides the hosted payment page to the consumer.  The “Checkout” button may include a URL that redirects the user device to a location at the HOP services provider.  The HOP services provider provides the hosted payment page to the consumer See at least [0046]-[0047].  See also FIG. 4, inputs fields 418 to enter payment information on www.merchantserviceprovider.com. The Examiner interprets the one-way hash, which is provided by the merchant, as a merchant service provider identifier associated with the transaction.).

Regarding claim 14, the combination of McCullagh, Mehta, and Strydom discloses the limitations of claim 9, as discussed above, and McCullagh further discloses receiving, from the client workstation, a request to initiate a communication with the client workstation; and establishing the webpage based at least in part on the request (The consumer interacting with webpage on user device presses the “checkout” button on the merchant page.  The “Checkout” button may include a URL that redirects the user device to a location at the HOP services provider.  See at least [0046].  See also [0047] and FIG. 4, inputs fields 418 to enter payment 

While McCullagh discloses a communication connection with the client workstation, McCullagh does not expressly disclose the communication connection is a secure communication connection.  Furthermore, while McCullagh discloses establishing a webpage, McCullagh does not expressly disclose the webpage is a secure webpage.

However, Mehta discloses the communication connection is a secure communication connection (Payment Gateway Component sending a secure webpage to the user interface of the user device.  See at least [0037] and [0020].  See also FIG. 1(a), step 9.  See also FIG. 1(b), step 10.  See also [0033]. Payment details received from the user interface and provided to the payment gateway are isolated from the merchant back-end component, thereby ensuring security of transaction.  The payment component can implement encryption and other security measures to comply with PCI standards and maintain data security.  See at least [0047].  The Examiner interprets the communication connection between the user interface and the payment gateway component that isolates the merchant back-end component so that the merchant backend component does not have access to the transmitted data as a secure communication connection, as well as communication that is via a secure webpage, as a secure connection.); 
the webpage is a secure webpage
From the teaching of Mehta, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the webpage of McCullagh to be a secure webpage, as taught by Mehta, in order to making the transaction more secure and eliminating the need for the merchant back-end component to implement complex PCI certified technology (see Mehta at least at [0019]), and in order to ensure security of transactions (see Mehta at least at [0047]), and in order to provide efficient utilization of computational resources (see Mehta at least at [0082]).

Regarding claim 15, the combination of McCullagh, Mehta, and Strydom discloses the limitations of claim 9, as discussed above, and Strydom further discloses in response to receiving the processing message, transmitting, via the secure webpage, a payment message indicating whether the payment data was processed, based at least in part on the processing message
From the teaching of Strydom, it would have been obvious to one having ordinary skill in the art before the effective filing date to McCullagh to transmitting, via the secure webpage, a payment message indicating whether the payment data was processed, based at least in part on the processing message in response to receiving the processing message, as taught by Strydom, in order to offer increased convenience to consumers and to merchants (see Strydom at least at [0002]-[0008]).

Regarding claim 16, McCullagh discloses an enterprise webserver, comprising: one or more processors; memory coupled to the one or more processors, the memory including one or more modules that are executable by the one or more processors to (See at least FIG. 1 and [0079]-[0080].  See also [0009] and [0084]-[0085].  Merchant server.  See at least [0046].  The Examiner interprets the merchant server as the enterprise server.): 
receive, from a client workstation, a first message associated with a merchant transaction at a merchant website (User uses user device to interact with merchant page, and selects a “checkout” button on the merchant page.  See at least [0046].  See also FIG. 3, checkout button 318 on “www.merchant.com.” The Examiner interprets the user device as a client workstation.); 
generate data for use in validating data of the enterprise webserver (The merchant creates a one-way hash of the order.  See at least [0044].  The one-way hash is used for data verification.  See at least [0046]-[0047].); 
in response to validating the data of the enterprise webserver, a server transmits a webpage dataset to the client workstation (The merchant sends the one-way hash of the order to the merchant service provider.  The HOP services provider verifies the one-way hash provided , 
the webpage dataset including a set of computer-executable instructions that initiate a communication connection between the client workstation and a security assurance webserver to establish a webpage, the webpage to redirect from a presentation of the merchant website on the client workstation (The “Checkout” button may include a URL that redirects the user device to a location at the HOP services provider.  See at least [0046].  See also [0047] and FIG. 4, inputs fields 418 to enter payment information on www.merchantserviceprovider.com.  The entities are communicatively connected.  See at least [0037].); and 
receive, from the client workstation, a second message, based at least in part on establishing the webpage (A user device sending a payment token that was created when the user requested to create an account on the payment webpage.  The user device sending the payment token to the merchant.  For example, the token(s) may be redirected to the merchant via the user device.  See at least [0050].  The Examiner interprets sending a payment token as sending a message.).

While McCullagh discloses generating data for using in validating data of the enterprise webserver, McCullagh does not expressly disclose generating a server identity data for use in validating an identity.  Furthermore, while McCullagh discloses a server transmits a webpage dataset to the client workstation, McCullagh does not expressly disclose the enterprise webserver performs the step of transmit a webpage.  Furthermore, while McCullagh discloses transmit a webpage dataset, McCullagh does not expressly disclose the webpage is a secure webpage dataset.  While the first embodiment of McCullagh discloses initiating a communication connection, the first embodiment McCullagh does not expressly disclose the communication connection is a secure communication connection.  Furthermore, while McCullagh discloses a webpage, McCullagh does not expressly disclose the webpage is a secure webpage.  Furthermore, while McCullagh discloses the webpage to redirect from a presentation of a merchant website, McCullagh does not expressly disclose a webpage to overlay a presentation of the merchant website.  Furthermore, while McCullagh discloses a second message, McCullagh does not expressly disclose the second message indicating a processing status of the merchant transaction. 

However, Strydom discloses generating a server identity data for use in validating an identity (The merchant sending a merchant identifier to the payment service provider (PSP).  See at least [0088].  See also [0032]-[0037].  The merchant identifier is validated to make sure that the merchant has previously been set-up as a merchant with the PSP.  See at least [0097]. The merchant server is required to have previously registered or signed up with the payment 
From the teaching of Strydom, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the generating of McCullagh to generate the server identity data taught by Strydom, in order to offer increased convenience to consumers and to merchants (see Strydom at least at [0002]-[0008]).

While McCullagh discloses a server transmits a webpage dataset to the client workstation, McCullagh does not expressly disclose the enterprise webserver performs the step of transmit a webpage.  While the first embodiment of McCullagh discloses initiating a communication connection, the first embodiment McCullagh does not expressly disclose the communication connection is a secure communication connection.  Furthermore, while McCullagh discloses transmit a webpage dataset, McCullagh does not expressly disclose the webpage is a secure webpage dataset.  Furthermore, while McCullagh discloses a webpage, McCullagh does not expressly disclose the webpage is a secure webpage.  Furthermore, while McCullagh discloses the webpage to redirect from a presentation of a merchant website, McCullagh does not expressly disclose a webpage to overlay a presentation of the merchant website.  Furthermore, while McCullagh discloses a second message, McCullagh does not expressly disclose the second message indicating a processing status of the merchant transaction.

However, Mehta discloses the enterprise webserver performs the step of transmit a webpage (The merchant backend component may provide a merchant web page to the merchant 
the webpage dataset is a secure webpage dataset; the webpage is a secure webpage (Payment Gateway Component sending a secure webpage to the user interface of the user device.  See at least [0037] and [0020].  See also FIG. 1(a), step 9.  See also FIG. 1(b), step 10.); 
the communication connection is a secure communication connection (Payment Gateway Component sending a secure webpage to the user interface of the user device.  See at least [0037] and [0020].  See also FIG. 1(a), step 9.  See also FIG. 1(b), step 10.  See also [0033]. Payment details received from the user interface and provided to the payment gateway are isolated from the merchant back-end component, thereby ensuring security of transaction.  The payment component can implement encryption and other security measures to comply with PCI standards and maintain data security.  See at least [0047].  The Examiner interprets the communication connection between the user interface and the payment gateway component that isolates the merchant back-end component so that the merchant backend component does not have access to the transmitted data as a secure communication connection, as well as communication that is via a secure webpage, as a secure connection.);
a webpage to overlay a presentation of the merchant website (Overlaying the merchant web page with another web page.  See at least [0069].  See also FIG. 3(b), web page 302 overlaid on merchant web page 300.); 
the second message indicating a processing status of the merchant transaction (In case of transaction success, the transaction success message is received by the payment gateway component, which can cause the second web page to close and then pass the transaction success message to the merchant front-end component through the merchant back-end component.  The 
From the teaching of Mehta, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the transmitting of McCullagh to be performed by the enterprise webserver, using the technique taught by Mehta, and to modify the webpage of McCullagh to be a secure webpage, as taught by Mehta, and to modify the displaying of McCullagh to overlay using the overlaying technique taught by Mehta, and to modify the second message of McCullagh to indicate a processing status of the merchant transaction, as taught by Mehta, in order to making the transaction more secure and eliminating the need for the merchant back-end component to implement complex PCI certified technology (see Mehta at least at [0019]), and in order to ensure security of transactions (see Mehta at least at [0047]), and in order to provide efficient utilization of computational resources (see Mehta at least at [0082]).

Regarding claim 17, the combination of McCullagh, Strydom, and Mehta discloses the limitations of claim 16, as discussed above, and Strydom further discloses in response to not validating the identity of the enterprise webserver, transmit an alert message to the client workstation indicating that a processing error of the merchant transaction has occurred (At a next stage, the payment service provider receives the merchant's consumer ID, the encrypted token, the payment amount and also the merchant identifier of the particular merchant that is requesting payment. The merchant identifier is validated to make sure that the merchant has previously been set-up as a merchant with the PSP at a next stage. If the merchant is not 
From the teaching of Strydom, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify McCullagh to transmit an alert message to the client workstation indicating that a processing error of the merchant transaction has occurred in response to not validating the identity of the enterprise webserver, as taught by Strydom, in order to offer increased convenience to consumers and to merchants (see Strydom at least at [0002]-[0008]).

Regarding claim 19, the combination of McCullagh, Strydom, and Mehta discloses the limitations of claim 16, as discussed above, and McCullagh further discloses in response to validating the data of the enterprise webserver, generate an order context data for delivery to the security assurance webserver, based at least in part on the first message (User uses user device to interact with merchant page, and selects a “checkout” button on the merchant page.  The “Checkout” button may include a URL that redirects the user device to a location at the HOP services provider. The merchant sends the one-way hash of the order to the merchant service provider.  The HOP services provider verifies the one-way hash provided by the merchant by applying its own copy of the hashing script to the order information to generate its own one-way hash of the order information and then comparing the hash it generates to the hash provided by the merchant. If the one-way hash is verified and thereby confirms that the order information was not tampered with during transmission from the merchant, then the HOP services provider provides the hosted payment page to the consumer.  The HOP services , 
the order context data to include at least purchase order context data associated with the merchant transaction (“Order information” may include information about an electronic transaction, such as information about the item(s) to be purchased, payment amounts, sales tax, shipping address, shipping type (e.g., overnight, one-day, standard), carrier, shipping & handling costs, special requests (e.g., gift wrapping), etc. It may also include information about the consumer making the transactions.  See at least [0033].); and 
receive, from the security assurance webserver, the webpage dataset, based at least in part on the order context data (User uses user device to interact with merchant page, and selects a “checkout” button on the merchant page.  The “Checkout” button may include a URL that redirects the user device to a location at the HOP services provider.  Then the HOP services provider provides the hosted payment page to the consumer.  The HOP services provider provides the hosted payment page to the consumer. See at least [0046]-[0047].   The “Checkout” button may include a URL that redirects the user device to a location at the HOP services provider.  See at least [0046].  See also [0047] and FIG. 4, inputs fields 418 to enter payment 

While McCullagh discloses validating data, McCullagh does not expressly disclose validating the identity of the enterprise server.  Furthermore, while McCullagh discloses order context data, McCullagh does not expressly disclose order context data include at least a merchant identifier.  Furthermore, while McCullagh discloses the webpage dataset, McCullagh does not expressly disclose the webpage dataset is secure webpage dataset.

However, Strydrom discloses validating the identity of the enterprise server (The merchant sending a merchant identifier to the payment service provider (PSP).  See at least [0088].  See also [0032]-[0037].  The merchant identifier is validated to make sure that the merchant has previously been set-up as a merchant with the PSP.  See at least [0097]. The merchant server is required to have previously registered or signed up with the payment service provider.  See at least [0081].  Merchant is associated with a remotely accessible merchant server computer which hosts an e-commerce website.  See at least [0079].);
order context data include at least a merchant identifier (Data related to a transaction by a consumer on a user device includes merchant identifier.  See at least [0096]-[0099].).
From the teaching of Strydom, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the generating of McCullagh to generate the server identity data taught by Strydom, and to modify the context data of McCullagh to include a merchant identifier, as taught by Strydom, in order to offer increased convenience to consumers and to merchants (see Strydom at least at [0002]-[0008]).

While McCullagh discloses the webpage dataset, McCullagh does not expressly disclose the webpage dataset is secure webpage dataset.

However, Mehta discloses the webpage dataset is a secure webpage dataset (Payment Gateway Component sending a secure webpage to the user interface of the user device.  See at least [0037] and [0020].  See also FIG. 1(a), step 9.  See also FIG. 1(b), step 10.).
From the teaching of Mehta, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the dataset of McCullagh to be a secure webpage dataset, as taught by Mehta, in order to making the transaction more secure and eliminating the need for the merchant back-end component to implement complex PCI certified technology (see Mehta at least at [0019]), and in order to ensure security of transactions (see Mehta at least at [0047]), and in order to provide efficient utilization of computational resources (see Mehta at least at [0082]).

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over McCullagh in further view of Strydom, in view of Mehta, and in further view of US 20210029100  (“Bendersky”).
Regarding claim 18, the combination of McCullagh, Strydom, and Mehta discloses the limitations of claim 16, as discussed above.  McCullagh does not expressly disclose the server identity data includes at least a hash of a set of files stored on the enterprise webserver, and wherein the one or more modules are further executable by the one or more processors to: transmit, to a hashing server, the server identity data for validating the identity of the enterprise webserver; and receive, from the hash server, a response associated with validating the identity of the enterprise webserver.

However, Bendersky discloses the server identity data includes at least a hash of a set of files stored on the enterprise webserver (Users are able to securely verify themselves to remote systems based on unique personal data or unique metadata associated with electronic files on their devices.  For example, in some embodiments, to verify an identity associated with a user or an application, a system may receive, from a client device associated with the user or application, an encrypted token. The encrypted token may have been encrypted at the client device using a cryptographic key created at the client device based on identity-inherent data of the identity associated with the user or application. In some embodiments, the identity-inherent data of the identity is not itself received by the system, and thus the cryptographic key is accessible only to the client device associated with the user or application. The system may store the encrypted token in association with a hash of a decrypted version of the encrypted token. To verify the identity, the system may compare the stored hash with a created hash to determine whether to verify the identity.  In additional embodiments, the verification service may store unique profiles, or fingerprints, associated with particular electronic files or identities. The unique profiles may be based on unique metadata associated with files on user devices, such as electronic images, videos, sounds, textual documents, or other files. When an identity seeks access to a secure resource, a verification process may be performed to determine whether the unique metadata in a stored profile matches the unique metadata associated with an electronic file.  See at least [0058]-[0060].  See also [0061]-[0062].), and 
wherein the one or more modules are further executable by the one or more processors to: transmit, to a hashing server, the server identity data for validating the identity of the enterprise webserver (The encrypted and decrypted tokens may be transmitted to verification service via an encrypted communication channel, e.g. a transport layer security (TLS) communication. At operation, verification service may store the received tokens, for example, in memory or other secure database or datastore. As noted above, in some embodiments client may also provide to verification service a hash of the decrypted (e.g., original) token.  See at least [0092].  See also FIGs. 3-4.  Entities may be servers.  See at least [0139]-[0141].); and 
receive, from the hash server, a response associated with validating the identity of the enterprise webserver (Verification service may receive the decrypted token from client device and generate a hash of the decrypted token. Alternatively, verification service may receive the hash itself from client device. Verification service may use the same method to generate a hash of the stored decrypted token. Verification service may compare the hash of the received decrypted token and the hash of the stored decrypted token. If the hash values match, the identity is verified. If the hash values do not match, the identity is not verified. Verification service transmits the result of the comparison, or a prompt based on the comparison, to client device, thereby either allowing or denying access to an access-restricted resource depending on whether the identity is verified or not verified, respectively.  See at least [0099].  See also FIGs. 3-4.).
From the teaching of Bendersky, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify McCullagh to transmit, to a hashing server, the server identity data for validating the identity of the enterprise webserver, and to modify .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 9,514,452 (“Dhar”) discloses a system and method for providing simplified checkout with payment float.
US 20080244277 A1 (“Orsini”) discloses a method and system for securing sensitive data from unauthorized access or use.
US 20200143375 A1 (“Gurunathan”) discloses dynamically adapting timeout periods.  The method includes receiving, by a server system associated with a payment network, a payment transaction request from a merchant interface. The payment transaction request includes a payment information and a payment card information of a user. After receiving the payment transaction request, a plurality of authentication options may be presented to the user for authenticating the payment transaction.  The user may select an authentication option from the plurality of authentication options. A timeout period for authenticating a payment transaction is determined based on the authentication option selected by the user. The timeout period is determined using a set of predefined rules.
 “Secure Communication for Internet Payment in Heterogeneous Networks” by Refka Abdellaoui, dated 2010 https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5474833 (hereinafter 
“Definitions for secure communication,” Definitions, dated March 2, 2021, https://web.archive.org/web/20210302031700/https://www.definitions.net/definition/secure+communication (hereinafter “Secure Communication Definitions”) discloses secure communication “when two entities are communicating and do not want a third party to listen in.”
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RAVEN E ZEER whose telephone number is (313)446-6606. The examiner can normally be reached Monday - Friday 8-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bennett M Sigmond can be reached on (303) 297-4411. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/R.E.Z./Examiner, Art Unit 3694                                                                                                                                                                                                        
/ELDA G MILEF/Primary Examiner, Art Unit 3694