DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
This office action is in response to the claim amendments filed November 22, 2021.
Claims 1, 2, 5-12, 14 and 17-18 are pending.
Claims 1, 2, 5-12, 14 and 17-18 have been examined.
Claims 3, 4, 13 and 15-16 have been cancelled.

Response to Arguments
With respect to Claim Rejections - 35 USC § 103
Applicant’s arguments with respect to claims 1, 2, 5-12, 14 and 17-18 have been considered but are moot in view of new grounds of rejection initiated by applicant’s amendment to the claims.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:


Claims 11, 12 and 14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

Claim 11 recites “generating a secure payment token by encrypting at least the first token…”. However, claim further recites “receiving a secure payment token comprising encrypted data…”.  It is unclear to one of the ordinary skill in the art, whether the “receiving a secure payment token comprising encrypted data…” step is referring to the secure payment token generated in the “generating a secure payment token by encrypting at least the first token” step or a different secure payment token. Appropriate correction is required.

Claim Rejections - 35 USC § 103
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 2, 5-12, 14 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Barbara Patterson (WO 2012040377 A1 to) in view of Raj et al. (US 20140344153 A1).

Regarding claim 1: Patterson discloses: A method of securing a first token (e.g. verification token) associated with a subscriber's payment instrument (e.g. payment card 32-2), hosted in a mobile terminal (e.g. mobile device 32-1) of a system comprising a token- generator server, wherein the method comprises (See paragraphs [0011], [0044] and [0091] and Fig. 1 and related text):
registering of the payment instrument with a [merchant website] (see paragraph [0089] and [0121] and Fig. 7 and Fig. 20);
in response to the registration, pairing (e.g. enrolling / binding) an identifier (e.g. identifier for a mobile device or phone number) of the mobile terminal (e.g. mobile device 32-1) with the payment instrument (e.g., payment card 32-2), and subsequently pairing, by the token-generator server and the payment application, a personal cryptogram (e.g. consumer/login information such as PIN or password) with the payment instrument (See paragraphs [0044], [0072], [0074], [0078-0079], [0088-0091], [0094] and [0106-0107] and Fig. 7 and FIG. 8);
cryptographically generating, by the token-generator server, a first token (e.g. verification token) (Patterson [0012], [0074], the Examiner considers the server computer generates a verification token and encrypting the verification tokens to be the cryptographically generating, by the token-generator server, a first token) based on an [data] associated with the payment instrument and based on […], wherein the first token comprises pseudo-random data (e.g., Verification tokens may be in any suitable form and any suitable length. Verification tokens may be in the form of numbers, letters, or combinations thereof), (Patterson [0074], “When a mobile device has been enrolled using an enrollment process according to an embodiment of the invention, the payment processing network 26 may generate a verification token using a verification token management module 702. The verification token may be electronically transmitted to the mobile device. All transmissions received and transmitted, including authorization request messages, authorization response messages, and verification tokens, may be encrypted by an encryption module 704 using security keys.” [0040], “A "verification token" may be any suitable piece of information that can be used to verify that a consumer has presented a payment card or other authentic payment credential to a merchant for verification. Verification tokens may be in any suitable form and any suitable length. Verification tokens may be in the form of numbers, letters, or combinations thereof.” Patterson further, discloses activation code may be generated by any suitable algorithm or a random generator and a verification token according to an embodiment of the invention may be the form of an activation code), (see paragraphs [0071], [0011], [0012], [0074], [0090] and [0040]);
Examiner’s note: the limitation “cryptographically generating, by the token-generator server, a first token based on an account number associated with the payment instrument and based on a diversifier, wherein the first token comprises pseudo-random data” this is nonfunctional descriptive material as it only describes data values, while the data values are not used to perform any of the recited method steps. Therefore, it has been held the nonfunctional descriptive material will not distinguish the invention from the prior art in term of patentability. MPEP 2111.05.
storing the first token on the mobile terminal in association with the payment application (See paragraphs [0011-0012], [0015], [0040], [0042], [0064] and [0074] and Fig. 7 and FIG. 8)
receiving transaction data (e.g. transaction data, e.g. item, SKU, amount) concerning a payment transaction by the payment application (e.g. retail application on the mobile device 32-1) (See paragraphs [0124]-[0125]); and
generating, by the payment application, a secure payment token (Patterson [0052], the Examiner considers generating and encrypting the authorization request message to be the secure payment token. The secure payment token is used authorize or deny a transaction. As disclosed by Patterson, the authorization request message is used to authorize or deny the transaction) by encrypting at least the first token (e.g. verification token), the transaction data (e.g. transaction data), the identifier of the mobile terminal (e.g. mobile device identifier or phone number), and [PIN] (Patterson [0058], [0065]) debit card transaction (e.g. involving encrypted PIN sent in an authorization message). Patterson discloses, generating a secure second payment token by mobile device 32), (See paragraphs [0020], [0084], [0051], [0052], [0123-0124] and [0127]-[0128] and Fig. 21);
Examiner’s note: the limitation “generating, by the payment application, a secure payment token by encrypting at least the first token, the transaction data, the identifier of the mobile terminal, and the personal cryptogram” this is nonfunctional descriptive material as it only describes data values, while the data values are not used to perform any of the recited method steps. Therefore, it has been held the nonfunctional descriptive material will not distinguish the invention from the prior art in term of patentability. MPEP 2111.05.
receiving, by the token-generator server, the secure payment token (see paragraphs [0085]); and
verifying, by the token-generator server, validity of the secure payment token (see paragraph [0085]-[0086], and [0142], see also[0050]-[0051], [0109]).

Patterson does not specifically disclose, registering of the payment instrument with a payment application of the mobile terminal.
However, Raj discloses:
registering of the payment instrument with a payment application of the mobile terminal (Raj [0139], “The user can then be presented with one or more accounts associated with the application from which the consumer may select to register. In an embodiment, the user can enter the card information to register with wallet provider or issuer application.”), [0198], “the user's electronic wallet may be stored in the E-Wallet database 31, which may include information associated with the user's payment accounts can be used in conducting a financial transaction with a merchant. For example, the E-Wallet database 31 may include the primary account numbers of one or more payment accounts (e.g., payment accounts associated with a credit card, debit card, etc.) of the user 30. The e-wallet may be populated with such information during an initial enrollment process in which the user 30 enters information regarding one or more of the payment accounts that may be associated with various issuers.”), (see paragraphs [0139], [0111], [0148] and [0198] and Fig. 7 and Fig. 9. See also paragraphs [0092], [0092]).

Patterson does not specifically disclose, generating, the first token based on an account number and based on based on a diversifier (e.g., rules or configuration) wherein the first token comprises pseudo-random data (e.g., random data based on a data representing an account number or fixed length).
However, Raj discloses:
cryptographically generating, by the token-generator server, a first token based on an account number associated with the payment instrument and based on a diversifier, wherein the first token comprises pseudo-random data (Raj [0112], “Token generation module 104b may generate tokens in response to a request from the mobile tokenization hub. In some embodiments, the token generation module 104b can select the token from a numbering scheme and activate the token. For example, with a static token, then the CTC module can create an association between the token and one or more account identifiers. With a dynamic token, the CTC module can set controls and make a pairing available to a payment processing network in order to complete the transaction processing.” [0114], “In some embodiments, token generation rules module 104f can receive rules from a registered system for generating tokens.” [0128], “the requested token is returned to the requesting device. In some embodiments, a provisioning service may be used to open a secure connection to the device and store the token in the device's secure element. In other embodiments, the token may be encrypted and returned directly to the device or through the payment application”, [0055], “a token format for a secure element (SE) device to be used in a transaction can include a token that comprises a static element and a dynamic element. The static element of the token format may comprise a static or non-changing identifier, for example, a primary account number (PAN) substitute (i.e., static account substitute). The dynamic element may be generated using the static element, other consumer account, or device information, or may be received from a third party for one or more transactions.”), (see paragraphs [0112]-[0114], [0128], [0098], and [0055]-[0057] and Fig. 13).

Patterson does not specifically disclose, generating a secure second payment token by encrypting the personal cryptogram.
However, Raj discloses:
generating, by the payment application, a secure payment token by encrypting at least the first token, the transaction data, the identifier of the mobile terminal, and the personal cryptogram (Raj [0162], “In some embodiments, a non-SE mobile device may be used with a dynamic token. The mobile device may include a payment application, such as an issuer payment application, a wallet provider application, and/or a PPN reference application. The non-SE mobile device may perform chip transactions using the dynamic token. Transaction data for the chip transaction may include Track 2 data, a dCVV, an application cryptogram, payment application data, and an ATC. In some embodiments, the payment application at the mobile device may generate a QR code (e.g., Quick Response Code, bar code) that includes the dynamic token. The transaction data type can include a chip transaction which may include Track 2 data, a dCVV, an application cryptogram, issuer application data, and an ATC.” [0164], “the consumer can initiate a transaction with a merchant 1314 using the token. For example, the token may be packaged into a QR code and displayed on the mobile device.”), (see paragraphs [0162] and [0164] and Fig. 13).

Alternatively, Raj discloses:
in response to the registration, pairing an identifier of the mobile terminal with the payment instrument (Raj [0106], “device information module 102k can receive mobile device information during registration and interface with credential database 110a to store the device information. The device information can be associated with a consumer…”), and 
receiving, by the token-generator server, the secure payment token (see paragraph [0164] and Fig. 13); and
verifying, by the token-generator server, validity of the secure payment token (see paragraph [0165] and Fig. 13).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Patterson with Raj to include a function of generating a token based on random data and utilizing token and QR codes including the generated token to perform transaction to enhance data security for a transaction.

Regarding claim 2: Patterson and Raj, discloses as shown above.
Patterson further discloses: The method according to claim 1, wherein the pairing is performed following a successful authentication protocol between the payment application and a remote authentication server (See paragraphs [0012], [0078-0079], [0088-0090] and [0106-0107] and Fig. 7 and FIG. 8 and related text)”).

Regarding claim 5
Patterson further discloses: The method according to claim 1, wherein the first token is encrypted by means of a temporary key received from a server for generating the first token (See paragraphs [0011] and [0071]).

Regarding claim 6: Patterson and Raj, discloses as shown above.
Patterson further discloses: The method according to claim 1, it wherein the method further comprises the payment application generating the identifier of the mobile terminal and the personal cryptogram, wherein the generating is triggered by receiving data concerning the payment transaction (See paragraph [0013]).

Regarding claim 7: Patterson and Raj, discloses as shown above.
Patterson further discloses: The method according to claim 6, wherein the payment application generating the identifier of the mobile terminal and the personal cryptogram comprises: reading a secure memory of the mobile terminal on condition that a personal password is input, or executing a cryptographic calculation on condition that a personal password is input (See paragraphs [0094] and [150]).

Regarding claim 8: Patterson and Raj, discloses as shown above.
Patterson further discloses: The method according to claim 6, wherein generating the identifier of the mobile terminal and the personal cryptogram is triggered by a request to authenticate the subscriber during the payment transaction, the payment transaction being a  (See paragraphs [0011] and [0044]).

Regarding claim 9: Patterson and Raj, discloses as shown above.
Patterson further discloses: The method according to claim 6, wherein, during execution of the payment transaction, the identifier and the personal cryptogram are stored in a volatile memory of the mobile terminal (See paragraphs [0011] and [0064-0064]).
 
Regarding claim 10: Patterson and Raj, discloses as shown above.
Patterson further discloses: The method according to claim 1, wherein the storing comprises writing the first token in a nonvolatile memory of the mobile terminal (See paragraphs [0011] and [0064-0064]).

Regarding claim 11: Patterson and Raj, discloses as shown above.
Patterson further discloses A system comprising a mobile terminal and a token-generator server, the mobile terminal comprising a non-transitory computer readable storage medium for hosting a payment application, the payment application performing operations comprising:
registering of the payment instrument (see paragraph [0089] and [0121] and Fig. 7 and Fig. 20).
in response to the registration, pairing an identifier of the mobile terminal, and subsequently a personal cryptogram with a payment instrument (See paragraphs [0044], [0072], [0074], [0078-0079], [0088-0091], [0094] and [0106-0107] and Fig. 7 and FIG. 8);
receiving transaction data concerning a payment transaction (See paragraphs ([0124-0125]); and
generating a secure payment token (Patterson [0052], the Examiner considers generating and encrypting the authorization request message to be the secure payment token. The secure payment token is used authorize or deny a transaction. As disclosed by Patterson, the authorization request message is used to authorize or deny the transaction) by encrypting at least the first token, the transaction data, the identifier of the mobile terminal, and the […] (See paragraphs [0020], [0084], [0051], [0052], [0123-0124] and [0127]-[0128] and Fig. 21);
Examiner’s note: the limitation “generating, by the payment application, a secure payment token by encrypting at least the first token, the transaction data, the identifier of the mobile terminal, and the personal cryptogram” this is nonfunctional descriptive material as it only describes data values, while the data values are not used to perform any of the recited method steps. Therefore, it has been held the nonfunctional descriptive material will not distinguish the invention from the prior art in term of patentability. MPEP 2111.05.
and the token-generator server performing operations comprising:
receiving a request from the mobile terminal for obtaining a first token, the request including an identifier of the mobile terminal and a personal cryptogram of a subscriber (Patterson [0074], “When a mobile device has been enrolled using an enrollment process according to an embodiment of the invention, the payment processing network 26 may generate a verification token using a verification token management module 702. The verification token may be electronically transmitted to the mobile device.” [0107], “the consumer 30 may provide different types of information to the access device 34. Such information may include an identifier (e.g., a phone number) for a mobile device, and other suitable information. For example, the merchant website account login information (e.g., username, password, mobile device identifier) 5 may be provided.” [0146], “the merchant may also operate a Website that has an account that is associated with the mobile device, and that requires a password for access. This password can also be used to access a verification token when enrollment 25 of the phone with the payment processing network can takes place at the access device.”), (see paragraphs [0074], [0107], [0146] and Fig. 6, see also paragraphs [0079]-[0081]);
cryptographically generating, in response to the request, the first token (Patterson [0012], [0074], the Examiner considers the server computer generates a verification token and encrypting the verification tokens to be the cryptographically generating, by the token-generator server, a first token) based on [data] associated with the payment instrument and based on a […], wherein the first token comprises pseudo-random data (Patterson [0074], “When a mobile device has been enrolled using an enrollment process according to an embodiment of the invention, the payment processing network 26 may generate a verification token using a verification token management module 702. The verification token may be electronically transmitted to the mobile device. All transmissions received and transmitted, including authorization request messages, authorization response messages, and verification tokens, may be encrypted by an encryption module 704 using security keys.” [0040], “A "verification token" may be any suitable piece of information that can be used to verify that a consumer has presented a payment card or other authentic payment credential to a merchant for verification. Verification tokens may be in any suitable form and any suitable length. Verification tokens may be in the form of numbers, letters, or combinations thereof”), (see paragraphs [0071], [0011], [0012], [0074] and [0040]);
Examiner’s note: the limitation “cryptographically generating, by the token-generator server, a first token based on an account number associated with the payment instrument and based on a diversifier, wherein the first token comprises pseudo-random data” this is nonfunctional descriptive material as it only describes data values, while the data values are not used to perform any of the recited method steps. Therefore, it has been held the nonfunctional descriptive material will not distinguish the invention from the prior art in term of patentability. MPEP 2111.05.
pairing the identifier and the personal cryptogram with the payment instrument when the payment instrument is registered in the payment application on the mobile terminal (See paragraphs [0044], [0072], [0074], [0078-0079], [0088-0090], [0094] and [0106-0107] and Fig. 7 and FIG. 8);
receiving a secure payment token comprising encrypted data corresponding to at least the first token, the transaction data, the identifier of the mobile terminal, and the […] 
verifying validity of the secure payment token (see paragraph [0085]-[0086], and [0142], see also[0050]-[0051], [0109]).

Patterson does not specifically disclose, generating, the first token based on an account number and based on based on a diversifier (e.g., rules or configuration) wherein the first token comprises pseudo-random data (e.g., random data based on a data representing an account number or fixed length).
However, Raj discloses:
cryptographically generating, in response to the request, the first token based on an account number associated with the payment instrument and based on a diversifier, wherein the first token comprises pseudo-random data (Raj [0112], “Token generation module 104b may generate tokens in response to a request from the mobile tokenization hub. In some embodiments, the token generation module 104b can select the token from a numbering scheme and activate the token. For example, with a static token, then the CTC module can create an association between the token and one or more account identifiers. With a dynamic token, the CTC module can set controls and make a pairing available to a payment processing network in order to complete the transaction processing.” [0114], “In some embodiments, token generation rules module 104f can receive rules from a registered system for generating tokens.” [0128], “the requested token is returned to the requesting device. In some embodiments, a provisioning service may be used to open a secure connection to the device and store the token in the device's secure element. In other embodiments, the token may be encrypted and returned directly to the device or through the payment application”, [0055], “a token format for a secure element (SE) device to be used in a transaction can include a token that comprises a static element and a dynamic element. The static element of the token format may comprise a static or non-changing identifier, for example, a primary account number (PAN) substitute (i.e., static account substitute). The dynamic element may be generated using the static element, other consumer account, or device information, or may be received from a third party for one or more transactions.”), (see paragraphs [0112]-[0114], [0128], [0098] and [0055]-[0057] and Fig. 13).

Patterson does not specifically disclose, generating a secure second payment token by encrypting the personal cryptogram.
However, Raj discloses:
generating, by the payment application, a secure payment token by encrypting at least the first token, the transaction data, the identifier of the mobile terminal, and the personal cryptogram (Raj [0162], “In some embodiments, a non-SE mobile device may be used with a dynamic token. The mobile device may include a payment application, such as an issuer payment application, a wallet provider application, and/or a PPN reference application. The non-SE mobile device may perform chip transactions using the dynamic token. Transaction data for the chip transaction may include Track 2 data, a dCVV, an application cryptogram, payment application data, and an ATC. In some embodiments, the payment application at the mobile device may generate a QR code (e.g., Quick Response Code, bar code) that includes the dynamic token. The transaction data type can include a chip transaction which may include Track 2 data, a dCVV, an application cryptogram, issuer application data, and an ATC.” [0164], “the consumer can initiate a transaction with a merchant 1314 using the token. For example, the token may be packaged into a QR code and displayed on the mobile device.”), (see paragraphs [0162] and [0164] and Fig. 13).

Patterson does not specifically disclose, receiving a secure payment token comprising a cryptogram.
However, Raj discloses:
receiving a secure payment token comprising encrypted data corresponding to at least the first token, the transaction data, the identifier of the mobile terminal, and the [application] cryptogram (see paragraphs [0164]-[0165] and Fig. 13).

Alternatively, Raj discloses:
in response to the registration, pairing an identifier of the mobile terminal with the payment instrument ([0106], “device information module 102k can receive mobile device information during registration and interface with credential database 110a to store the device information. The device information can be associated with a consumer…”), and subsequently pairing, by the token-generator server and the payment application, a personal cryptogram with the payment instrument (see paragraphs [0106], [0111], [0155] and [0214]).
verifying validity of the secure payment token (see paragraph [0165] and Fig. 13).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Patterson with Raj to include a function of generating a 

Regarding claim 12: Patterson and Raj, discloses as shown above.
Patterson further discloses: The system according to claim 11, wherein the operations performed by the payment application of the mobile device further comprise generating the identifier of the mobile terminal and the personal cryptogram (See paragraph [0013]).

Regarding claim 14: Patterson and Raj, discloses as shown above.
Patterson further discloses: The system according to claim 11, wherein the identifier of the mobile terminal and the personal cryptogram received by the token-generator server from an authentication server (See paragraph [0012]).

Regarding claim 17: Patterson and Raj, discloses as shown above.
Patterson further discloses: The method of claim 1, wherein the payment application of the mobile terminal is provided with the first token in response to request from the payment application for the first token (See paragraphs [0011], [0015], [0040], [0064] and [0074] and related text).

Regarding claim 18: Patterson and Raj, discloses as shown above.
Patterson further discloses: The method of claim 1, wherein the mobile terminal does not include a secure chip (See paragraph [0011])
Additionally, claim 1 is directed to a method claim as it recites "A method of securing a first token..." However, claim 18 recites structural limitation. It has been held to be entitled to such weight in method claims, the recited structural limitations therein must affect the method in a manipulative sense and not to amount to the mere claiming of a use of a particular structure, which, in our opinion, is the case here. (Ex parte Pfeiffer, 135 USPQ 31 (BdPatApp&Int 1961)).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAHED ALI whose telephone number is (571)270-1085.  The examiner can normally be reached on 8:00 - 5:00 M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on (571)-270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JAHED ALI/Examiner, Art Unit 3685
/NEHA PATEL/Supervisory Patent Examiner, Art Unit 3685