Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) was submitted on [05/05/2020]. The
submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the
information disclosure statement is being considered by the examiner.
Drawings
Drawings filed on 02/18/2020 are accepted.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35
U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any
correction of the statutory basis for the rejection will not be considered a new ground of
rejection if the prior art relied upon, and the rationale supporting the rejection, would be
the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that
form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application
for patent published or deemed published under section 122(b), in which the patent or application, as the case
may be, names another inventor and was effectively filed before the effective filing date of the claimed
invention.


Claims 1-4 and 10 is/are rejected under 35 U.S.C. 102(a)(2) as being
anticipated by EIDSON et al. (US-20190342088-A1, hereinafter referred to as " EIDSON ")
Referring to claim 1, EIDSON teaches a method comprising:
receiving a request to access data stored in a tokenized file, the tokenized file comprising a plurality of records, each record comprising one or more fields
(EIDSON, (par. [0068]), FIG. 3B) “In the illustrated example of FIG. 3B, each use case 141F and 141E uses a tokenized log record 144C.F and 144C.E”, (par. [0068]) “Each one of the viewer access right 125A and 125B determines for a given user of the use case 141F and 141G the access to the tokenized log records. The user can be an actual person using the use cases, a group defined in the use case, or alternatively the use case itself”), (EIDSON, (par. [0069]), FIG. 3B) “In addition, in one implementation, for each field of the log record in the viewer access right 125-U, a space ID is identified indicating in which space the tokenized field is to be accessed. In this implementation, two or more fields in a record type can be associated with a same spaceID. For example, the use case 141F is operative to access the tokenized log record 144C.F where the third field of the log record and the last field of the log record are tokenized in the same space identified by space ID 121A.”), determining a schema associated with the tokenized file (EIDSON, (par. [0031]) “the term “Personal Data” can be defined as any information relating to an identified or identifiable person. The personal data can include a name of a person (the person being the user of the application or a person related to the user of the application), contact information of a person (such as a physical or email address of the person or a telephone number of the person), a user identifier (referred herein as UserID) uniquely identifying a user of an application, an IP address associated with a device used by the user to access the application, or any other information that is related to the person which can be obtained or used by an application and logged in a raw log record. In some implementations, a distinction can be made between personal data that uniquely identifies the user (such as the name of the person) or renders the user identifiable (such as a user identifier) and user traceable data.”) par 44”), wherein the schema identifies which of the one or more fields of each record contains tokenized data (EIDSON, (par. [0039]) “when using the tokenized log records a use case is only aware of the space in which each field is tokenized. In other implementations, when using the tokenized log records a use case is aware of the space and the tokenization mechanism used for tokenizing the data. For example, when a use case acts as a definer of a log record type in the app log definitions 112, the use case is aware of which strategy is to be applied to a field”); 
extracting instances of tokenized data from the one or more fields in the file by identifying the instances of tokenized data using the determined schema 
(EIDSON, (par. [0041]) “each of the log record types 114A-K is a schema and a set of attributes (e.g., type of data, tokenization strategy, etc.). A tokenization mechanism is a process for determination of a token for a raw value where the token is an anonymized representation of the raw value. Tokenization of a value enables consumers of the data (e.g., log record consumers 140) to use the data for multiple purposes (e.g., debugging, security, analytics, etc.) while having a regulated access to sensitive data (e.g., personal data and/or user traceable data”), (EIDSON, (par. [0059]) “The characteristics of a space (that is identified with a respective space ID) determines what a use case is allowed to see from a log record (what is raw vs tokenized), it may define a time period within which the use case can detokenize a tokenized field of a tokenized log record (e.g., the detokenization can be allowed for a time period, always allowed, always allowed prior to user requesting to be forgotten).”), (EIDSON, (par. [0045], FIG. 1B) “The tokenized log record generator 120 includes one or more tokenization mechanisms 122A-P. Each of the tokenization mechanism 122A-P is operative to receive raw log records 152 and process them based on the log record types 114A-K to obtain tokenized log records (e.g., 144B.A-144B.B) to be stored/processed by the log record consumers 140. In some implementations, in addition to the log record types 114A-K, the tokenization mechanisms 122A-P may further consider the space IDs 121 when processing the raw log records 152. While the implementations will be described with reference to the exemplary log record 144A and log record 144B of type 114A and 114B respectively, other types of records can be contemplated.”);
sending instances of tokenized data to a decryption system, wherein the decryption system is configured to decrypt (EIDSON, (par. [0046]) “the tokens The tokenization manager 130 enables users of the system to tokenize 134, detokenize 132, or forget 136 the data when proper access rights have been granted to the user”, (EIDSON, (par. [0105], FIG. 2B ) “the keys 128 to be used for encrypting the raw data or decrypting the tokenized data is stored in the data store 124. Alternatively, the keys can be stored in the tokenization mechanism 122A. In some implementation for each space identified with a space ID 121, there are one or more keys that can be used for tokenization or detokenization.”),
receiving decrypted sensitive values corresponding to the instances of tokenized data from the decryption system (EIDSON, (par. [0117]) “The tokenization manager 130 may use one or more other keys for encrypting or decrypting fields of records received during a time interval that precedes the time interval associated with the current key.”), (EIDSON, (par. [0059])  “The characteristics of a space (that is identified with a respective space ID) determines what a use case is allowed to see from a log record (what is raw vs tokenized), it may define a time period within which the use case can detokenize a tokenized field of a tokenized log record (e.g., the detokenization can be allowed for a time period, always allowed, always allowed prior to user requesting to be forgotten)”,  (EIDSON, (par. [0117], FIG. 1) “In some implementations , the key is kept as a previous key to enable the tokenization manager 130 to tokenize or detokenize data associated with previously tokenized records . The tokenization manager 130 may use one or more other keys for encrypting or decrypting fields of records received during a time interval that precedes the time interval associated with the current key.”); and generating a de-tokenized file comprising a plurality of records, corresponding to the plurality of records (EIDSON, (par. [0046]) “Detokenization is the process of reversing the tokenization performed to generate a token to obtain the raw value from which the token was generated.”), (EIDSON, (par. [0059]) “it may define a time period within which the use case can detokenize a tokenized field of a tokenized log record (e.g., the detokenization can be allowed for a time period, always allowed, always allowed prior to user requesting to be forgotten)”), using the decrypted sensitive values in place of the instances of tokenized data (EIDSON, (par. [0131], FIG. 8A & 8B) “FIG. 8A illustrates a flow diagram of exemplary operations for detokenization of tokens based on time window cryptographic keys in accordance with some implementations. At operation 802, a request to detokenize a first token to retrieve the first raw value is received. For example, a request to detokenize the token XDX2 in tokenized log record 144D.B is received.”, Examiner Interpreted the detokenization process is done based on the steps in FIG. 8A and FIG. 8B).

Referring to claim 2, EIDSON teaches the method of claim 1, further comprising: sending the de-tokenized file to a destination specified by the request.  (EIDSON, (par. [0048]) tokenization, detokenization or forgetting is punctual and is performed in response to a request.”) (EIDSON, (par. [0029], FIG. 1A) “The raw log records 152 include information related to events that occur in one or more application(s). The raw log records 152 are generated by one or more applications (not shown) that are operative to communicate with the tokenizer 110.”, Examiner Interpreted the detokenization is one of the processes that generate raw log).  

Referring to claim 3, EIDSON teaches the method of claim 1, further comprising: retrieving the tokenized file from a remote data store (EIDSON, (par. [0131]) “At operation 802, a request to detokenize a first token to retrieve the first raw value is received. For example, a request to detokenize the token XDX2 in tokenized log record 144D.B is received.”, Based on FIG. 2, Examiner Interpreted the Log Records Consumers 140 as remote data store”).

Referring to claim 4, EIDSON teaches the method of claim 1, wherein extracting instances of tokenized data comprises extracting tokenized data from only part of the file (EIDSON, (par. [0045]) “The tokenized log record generator 120 includes one or more tokenization mechanisms 122A-P. Each of the tokenization mechanism 122A-P is operative to receive raw log records 152 and process them based on the log record types 114A-K to obtain tokenized log records (e.g., 144B.A-144B.B) to be stored/processed by the log record consumers 140. In some implementations, in addition to the log record types 114A-K, the tokenization mechanisms 122A-P may further consider the space IDs 121 when processing the raw log records 152. While the implementations will be described with reference to the exemplary log record 144A and log record 144B of type 114A and 114B respectively, other types of records can be contemplated. The TLRG 120 receives the raw log record 144B and based on the type of the log record 114B a tokenization mechanism is selected for each field of the raw log record that needs to be tokenized. For example, the tokenization mechanism 122D is chosen based on the ST 117D for field 116C of the raw log record 144B. The tokenization mechanism 122C is chosen based on the ST 117C for field 116D of the raw log record 144B. The tokenization mechanism 122A is chosen based on the ST 117A for field 116E of the raw log record 144B. In some implementations, the tokenized log record generator 120 may access the space IDs 121 to determine one or more space IDs in which a field of a record is to be tokenized”).

Referring to claim 10, EIDSON teaches the method of claim 1, wherein both of the tokenized file and the de-tokenized file are arranged according to the same format (EIDSON, (par. [0046]) “Tokenization is the process of generating from a raw value a token that is an anonymized representation of the raw value such that when the token used no information can be obtained on the original raw data. Detokenization is the process of reversing the tokenization performed to generate a token to obtain the raw value from which the token was generated”).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed
invention is not identically disclosed as set forth in section 102, if the differences between the
claimed invention and the prior art are such that the claimed invention as a whole would have
been obvious before the effective filing date of the claimed invention to a person having
ordinary skill in the art to which the claimed invention pertains. Patentability shall not be
negated by the manner in which the invention was made.

Claims (5-9, and 11-20) is/are rejected under 35 U.S.C. 103 as being
unpatentable over by EIDSON et al. (US-20190342088-A1, hereinafter referred to as " EIDSON ") and BAILEY et al. (US-20120304273-A1, hereinafter referred to as " BAILEY ")


However, EIDSON does not teach the method of claim 1, further comprising: performing, based on a set of validation rules, a validation check on the decrypted values.
Wherein, BAILEY teaches the method of claim 1, further comprising: performing, based on a set of validation rules, a validation check on the decrypted values (BAILEY, (par. [0020]) “The tokenization computing device can detokenize the token, based on the token generation identified in the token identifier. Upon detokenization, the tokenization computing device can verify that the correct card number was determined by decryption of the sanity value in the token identifier.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified EIDSON to incorporate the teaching of BAILEY to utilize the above feature, with the motivation of using The tokenization computer device can detokenize the token depending on the token generation indicated in the token identifier, the tokenization computing device can verify that the correct card number was determined by decryption of the sanity value in the token identifier to provide validity for the detokenization process result, as recognized by (BAILEY [0020]).


Referring to claim 6, (EIDSON-BAILEY) suggests the limitations and motivation of claim 5 as discussed above.
Wherein, BAILEY teaches the method of claim 5, further comprising: generating a validated file by adding one or more fields to the de-tokenized file indicating the results of the validation check (BAILEY, (par. [0019]) “The sanity value may be similar to a check value, depending on the embodiment. More specifically, the sanity value is calculated as a result of using clear data as input into a predetermined algorithm. This data is used to validate the result from a tokenization. When a mismatch between the sanity value and the tokenization occurs, this indicates that the detokenization process has failed.”, (BAILEY, (par. [0021]) “From this data, the tokenization computing device can determine the card number and verify this with the sanity value in the token identifier. Once the card number has been determined, the tokenization computing device can re-tokenize the token. The re-tokenization can be simply to update the generation and/or to utilize a different tokenization mechanism. Regardless, once the token has been updated, the token identifier may be also updated to reflect this change in the token, as well as to create a sanity value for verification”). 
Motivation statement same as claim 5

Referring to claim 7, (EIDSON-BAILEY) suggests the limitations and motivation of claim 6 as discussed above.
Wherein, BAILEY teaches the method of claim 6, further comprising: generating a re-tokenized validated file by replacing decrypted sensitive values with re-tokenized values (BAILEY, (par. [0020]) “The tokenization computing device can detokenize the token, based on the token generation identified in the token identifier. Upon detokenization, the tokenization computing device can verify that the correct card number was determined by decryption of the sanity value in the token identifier. The tokenization computing device can then encrypt the card number and send the encrypted card number to the vendor.”), (BAILEY, (par. [0021]) “the tokenization computing device can re-tokenize the token. The re-tokenization can be simply to update the generation and/or to utilize a different tokenization mechanism. Regardless, once the token has been updated, the token identifier may be also updated to reflect this change in the token, as well as to create a sanity value for verification. The updated tokens and token identifiers may then be sent to the vendor.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified EIDSON to incorporate the teaching of BAILEY to utilize the above feature, with the motivation of using substituting encrypted sensitive information with re-tokenized values to create a re-tokenized validated file to provide to generate a sanity value that may be used for verification, as recognized by (BAILEY [0021]).


Referring to claim 8, (EIDSON-BAILEY) suggests the limitations and motivation of claim 7 as discussed above.
Wherein, BAILEY teaches the method of claim 7, wherein generating the re-tokenized validated file comprises:
sending the decrypted sensitive values to a remote token generator values (BAILEY, (par. [0034], FIG. 3) “The received sensitive data may be encrypted, such that transmission of the sensitive data to the tokenization computing device 104 is at least somewhat secure. This may be referred to as a point-to-point or end-to-end encryption. At block 332, the received sensitive data may be decrypted.”), 
the remote token generator comprising an encryption system configured to encrypt individual values as tokens (BAILEY, (par. [0034], FIG. 3) “at block 338 a token and token ID may be generated.”);
and receiving tokens corresponding to the decrypted sensitive values from the remote token generator (BAILEY, (par. [0034], FIG. 3) “The token may then be generated, based on an algorithm that depends on the token key. Additionally, the token identifier may identify the key (which may include a version number of the token), as well as a token sanity value for ensuring that the token is accurately generated.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified EIDSON to incorporate the teaching of BAILEY to utilize the above feature, with the motivation of creating the re-tokenized validated file entails sending the decrypted sensitive values to a remote token generator, which includes an encryption system configured to encrypt individual values as tokens, and receiving tokens corresponding to the decrypted sensitive values from the remote token generator to the token is accurately generated as recognized by (BAILEY [0034]).

Referring to claim 9, (EIDSON-BAILEY) suggests the limitations and motivation of claim 7 as discussed above.
Wherein, BAILEY teaches the method of claim 7, further comprising: storing the re-tokenized validated file at a remote data store. (BAILEY, (par. [0034], FIG. 3) “At block 340, the token and token ID may be sent to the vendor.”), (BAILEY, (par. [0020]) “The tokenization computing device can detokenize the token, based on the token generation identified in the token identifier. Upon detokenization, the tokenization computing device can verify that the correct card number was determined by decryption of the sanity value in the token identifier. The tokenization computing device can then encrypt the card number and send the encrypted card number to the vendor.”), (BAILEY, (par. [0021]) “the tokenization computing device can re-tokenize the token. The re-tokenization can be simply to update the generation and/or to utilize a different tokenization mechanism. Regardless, once the token has been updated, the token identifier may be also updated to reflect this change in the token, as well as to create a sanity value for verification. The updated tokens and token identifiers may then be sent to the vendor.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified EIDSON to incorporate the teaching of BAILEY to utilize the above feature, with the motivation of storing the re-tokenized validated file at a remote data store to provide a secure and safe storage environment as recognized by (BAILEY [0001]).


Referring to claim 11, EIDSON teaches an apparatus comprising:
one or more processors (EIDSON, (par. [0163]) “An electronic device (also referred to as a computing device, computer, etc.) includes hardware and software, such as a set of one or more processors”); and
	memory storing instructions that (EIDSON, (par. [0163]) “processors coupled to one or more machine-readable storage media (e.g., magnetic disks, optical disks, read only memory (ROM), Flash memory, phase change memory, solid state drives (SSDs)) to store code (which is composed of software instructions and which is sometimes referred to as computer program code or a computer program)”), when executed by the one or more processors (EIDSON, (par. [0163]) “read only memory (ROM), Flash memory, phase change memory, solid state drives (SSDs)) to store code (which is composed of software instructions and which is sometimes referred to as computer program code or a computer program) for execution on the set of processors and/or to store data”),cause the apparatus to:
receive a request to access data stored in a tokenized file (EIDSON, (par. [0068]), FIG. 3B) “In the illustrated example of FIG. 3B, each use case 141F and 141E uses a tokenized log record 144C.F and 144C.E”, (par. [0068]) “Each one of the viewer access right 125A and 125B determines for a given user of the use case 141F and 141G the access to the tokenized log records. The user can be an actual person using the use cases, a group defined in the use case, or alternatively the use case itself”), the tokenized file being arranged in a format and comprising a plurality of records, each record comprising one or more fields (EIDSON, (par. [0068]), FIG. 3B) “In the illustrated example of FIG. 3B, each use case 141F and 141E uses a tokenized log record 144C.F and 144C.E”, (par. [0068]) “Each one of the viewer access right 125A and 125B determines for a given user of the use case 141F and 141G the access to the tokenized log records. The user can be an actual person using the use cases, a group defined in the use case, or alternatively the use case itself”), (EIDSON, (par. [0069]), FIG. 3B) “In addition, in one implementation, for each field of the log record in the viewer access right 125-U, a space ID is identified indicating in which space the tokenized field is to be accessed. In this implementation, two or more fields in a record type can be associated with a same spaceID. For example, the use case 141F is operative to access the tokenized log record 144C.F where the third field of the log record and the last field of the log record are tokenized in the same space identified by space ID 121A.”);
determine a schema associated with the tokenized file (EIDSON, (par. [0031]) “the term “Personal Data” can be defined as any information relating to an identified or identifiable person. The personal data can include a name of a person (the person being the user of the application or a person related to the user of the application), contact information of a person (such as a physical or email address of the person or a telephone number of the person), a user identifier (referred herein as UserID) uniquely identifying a user of an application, an IP address associated with a device used by the user to access the application, or any other information that is related to the person which can be obtained or used by an application and logged in a raw log record. In some implementations, a distinction can be made between personal data that uniquely identifies the user (such as the name of the person) or renders the user identifiable (such as a user identifier) and user traceable data.”), wherein the schema identifies which of the one or more fields of each record contains tokenized data (EIDSON, (par. [0039]) “when using the tokenized log records a use case is only aware of the space in which each field is tokenized. In other implementations, when using the tokenized log records a use case is aware of the space and the tokenization mechanism used for tokenizing the data. For example, when a use case acts as a definer of a log record type in the app log definitions 112, the use case is aware of which strategy is to be applied to a field”);
extract instances of tokenized data from the one or more fields in the file by identifying the instances of tokenized data using the determined schema (EIDSON, (par. [0041]) “each of the log record types 114A-K is a schema and a set of attributes (e.g., type of data, tokenization strategy, etc.). A tokenization mechanism is a process for determination of a token for a raw value where the token is an anonymized representation of the raw value. Tokenization of a value enables consumers of the data (e.g., log record consumers 140) to use the data for multiple purposes (e.g., debugging, security, analytics, etc.) while having a regulated access to sensitive data (e.g., personal data and/or user traceable data”), (EIDSON, (par. [0059]) “The characteristics of a space (that is identified with a respective space ID) determines what a use case is allowed to see from a log record (what is raw vs tokenized), it may define a time period within which the use case can detokenize a tokenized field of a tokenized log record (e.g., the detokenization can be allowed for a time period, always allowed, always allowed prior to user requesting to be forgotten).”), (EIDSON, (par. [0045], FIG. 1B) “The tokenized log record generator 120 includes one or more tokenization mechanisms 122A-P. Each of the tokenization mechanism 122A-P is operative to receive raw log records 152 and process them based on the log record types 114A-K to obtain tokenized log records (e.g., 144B.A-144B.B) to be stored/processed by the log record consumers 140. In some implementations, in addition to the log record types 114A-K, the tokenization mechanisms 122A-P may further consider the space IDs 121 when processing the raw log records 152. While the implementations will be described with reference to the exemplary log record 144A and log record 144B of type 114A and 114B respectively, other types of records can be contemplated.”);
send instances of tokenized data to a decryption system, wherein the decryption system is configured to decrypt the tokens (EIDSON, (par. [0046]) “the tokens The tokenization manager 130 enables users of the system to tokenize 134, detokenize 132, or forget 136 the data when proper access rights have been granted to the user”, (EIDSON, (par. [0105], FIG. 2B ) “the keys 128 to be used for encrypting the raw data or decrypting the tokenized data is stored in the data store 124. Alternatively, the keys can be stored in the tokenization mechanism 122A. In some implementation for each space identified with a space ID 121, there are one or more keys that can be used for tokenization or detokenization.”);
receive decrypted sensitive values corresponding to the instances of tokenized data from the decryption system (EIDSON, (par. [0117]) “The tokenization manager 130 may use one or more other keys for encrypting or decrypting fields of records received during a time interval that precedes the time interval associated with the current key.”), (EIDSON, (par. [0059])  “The characteristics of a space (that is identified with a respective space ID) determines what a use case is allowed to see from a log record (what is raw vs tokenized), it may define a time period within which the use case can detokenize a tokenized field of a tokenized log record (e.g., the detokenization can be allowed for a time period, always allowed, always allowed prior to user requesting to be forgotten)”,  (EIDSON, (par. [0117], FIG. 1) “In some implementations , the key is kept as a previous key to enable the tokenization manager 130 to tokenize or detokenize data associated with previously tokenized records . The tokenization manager 130 may use one or more other keys for encrypting or decrypting fields of records received during a time interval that precedes the time interval associated with the current key.”);
generate a de-tokenized file arranged in the format and comprising a plurality of records, corresponding to the plurality of records (EIDSON, (par. [0046]) “Detokenization is the process of reversing the tokenization performed to generate a token to obtain the raw value from which the token was generated.”), (EIDSON, (par. [0059]) “it may define a time period within which the use case can detokenize a tokenized field of a tokenized log record (e.g., the detokenization can be allowed for a time period, always allowed, always allowed prior to user requesting to be forgotten)”), using the decrypted sensitive values in place of the instances of tokenized data (EIDSON, (par. [0131], FIG. 8A & 8B) “FIG. 8A illustrates a flow diagram of exemplary operations for detokenization of tokens based on time window cryptographic keys in accordance with some implementations. At operation 802, a request to detokenize a first token to retrieve the first raw value is received. For example, a request to detokenize the token XDX2 in tokenized log record 144D.B is received.”, Examiner Interpreted the detokenization process is done based on the steps in FIG. 8A and FIG. 8B);
	However, EIDSON does not tech perform, based on a set of validation rules, a validation check on the decrypted values;
	generate a validated file, arranged in the format, by adding one or more fields to the de-tokenized file indicating the results of the validation check.
	Wherein, BAILEY teaches perform, based on a set of validation rules, a validation check on the decrypted values (BAILEY, (par. [0020]) “The tokenization computing device can detokenize the token, based on the token generation identified in the token identifier. Upon detokenization, the tokenization computing device can verify that the correct card number was determined by decryption of the sanity value in the token identifier.”); and
generate a validated file, arranged in the format, by adding one or more fields to the de-tokenized file indicating the results of the validation check (BAILEY, (par. [0019]) “The tokenization computing device may additionally generate a token identifier. The token identifier is then linked to the token and is configured to provide token generation data, token version data, as well as a sanity value to ensure correctness of the token. The sanity value may be similar to a check value, depending on the embodiment. More specifically, the sanity value is calculated as a result of using clear data as input into a predetermined algorithm. This data is used to validate the result from a tokenization. When a mismatch between the sanity value and the tokenization occurs, this indicates that the detokenization process has failed.”, (BAILEY, (par. [0021]) “From this data, the tokenization computing device can determine the card number and verify this with the sanity value in the token identifier. Once the card number has been determined, the tokenization computing device can re-tokenize the token. The re-tokenization can be simply to update the generation and/or to utilize a different tokenization mechanism. Regardless, once the token has been updated, the token identifier may be also updated to reflect this change in the token, as well as to create a sanity value for verification”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified EIDSON to incorporate the teaching of BAILEY to utilize the above feature, with the motivation of generating a validated file based on a set of validation rules, validation checks on the decrypted values storing the re-tokenized validated file at a remote data store to provide to encrypt the sensitive data as recognized by (BAILEY [0020]).


Referring to claim 12, (EIDSON-BAILEY) suggests the limitations and motivation of claim 11 as discussed above.
(EIDSON, (par. [0131]) “At operation 802, a request to detokenize a first token to retrieve the first raw value is received. For example, a request to detokenize the token XDX2 in tokenized log record 144D.B is received.”, Based on FIG. 2, Examiner Interpreted the Log Records Consumers 140 as remote data store”).

Referring to claim 13, (EIDSON-BAILEY) suggests the limitations and motivation of claim 12 as discussed above.
EIDSON further teaches the apparatus of claim 12, wherein the instructions, when executed by the one or more processors cause the apparatus to extract instances of tokenized data by extracting tokenized data from only part of the file (EIDSON, (par. [0163])  “implementations may include software and/or a combination of software and hardware. An electronic device (also referred to as a computing device, computer, etc.) includes hardware and software, such as a set of one or more processors coupled to one or more machine-readable storage media (e.g., magnetic disks, optical disks, read only memory (ROM), Flash memory, phase change memory, solid state drives (SSDs)) to store code (which is composed of software instructions and which is sometimes referred to as computer program code or a computer program) for execution on the set of processors and/or to store data”), EIDSON, (par. [0041]) “each of the log record types 114A-K is a schema and a set of attributes (e.g., type of data, tokenization strategy, etc.). A tokenization mechanism is a process for determination of a token for a raw value where the token is an anonymized representation of the raw value. Tokenization of a value enables consumers of the data (e.g., log record consumers 140) to use the data for multiple purposes (e.g., debugging, security, analytics, etc.) while having a regulated access to sensitive data (e.g., personal data and/or user traceable data”), (EIDSON, (par. [0059]) “The characteristics of a space (that is identified with a respective space ID) determines what a use case is allowed to see from a log record (what is raw vs tokenized), it may define a time period within which the use case can detokenize a tokenized field of a tokenized log record (e.g., the detokenization can be allowed for a time period, always allowed, always allowed prior to user requesting to be forgotten).”), (EIDSON, (par. [0045], FIG. 1B) “the tokenization mechanisms 122A-P may further consider the space IDs 121 when processing the raw log records 152. While the implementations will be described with reference to the exemplary log record 144A and log record 144B of type 114A and 114B respectively, other types of records can be contemplated.”).

Referring to claim 14, (EIDSON-BAILEY) suggests the limitations and motivation of claim 11 as discussed above.
Wherein, BAILEY teaches the apparatus of claim 11, wherein the instructions, when executed by the one or more processors cause the apparatus to generate a re-tokenized validated file by replacing decrypted sensitive values with re-tokenized values (BAILEY, (par. [0030], FIG. 2) “FIG. 2 depicts a computing architecture for tokenizing sensitive data, according to embodiments disclosed herein. In the illustrated embodiment, the tokenization computing device 104 includes at least one processor 230, input/output hardware 232, network interface hardware 234, a data storage component 236 (which includes token data 238 a, token ID data 238 b, and/or other data), and the memory component 140.”), (BAILEY, (par. [0020]) “The tokenization computing device can detokenize the token, based on the token generation identified in the token identifier. Upon detokenization, the tokenization computing device can verify that the correct card number was determined by decryption of the sanity value in the token identifier. The tokenization computing device can then encrypt the card number and send the encrypted card number to the vendor.”), (BAILEY, (par. [0021]) “the tokenization computing device can re-tokenize the token. The re-tokenization can be simply to update the generation and/or to utilize a different tokenization mechanism. Regardless, once the token has been updated, the token identifier may be also updated to reflect this change in the token, as well as to create a sanity value for verification. The updated tokens and token identifiers may then be sent to the vendor.”).
Motivation statement same as claim 11.

Referring to claim 15, (EIDSON-BAILEY) suggests the limitations and motivation of claim 14 as discussed above.
Wherein, BAILEY teaches apparatus of claim 14, wherein the instructions, when executed by the one or more processors cause the apparatus to generate the re-(BAILEY, (par. [0034], FIG. 3) “The received sensitive data may be encrypted, such that transmission of the sensitive data to the tokenization computing device 104 is at least somewhat secure. This may be referred to as a point-to-point or end-to-end encryption. At block 332, the received sensitive data may be decrypted.”), the remote token generator comprising an encryption system configured to encrypt individual values as tokens (BAILEY, (par. [0034], FIG. 3) “at block 338 a token and token ID may be generated.”); and
receiving tokens corresponding to the decrypted sensitive values from the remote token generator (BAILEY, (par. [0034], FIG. 3) “The token may then be generated, based on an algorithm that depends on the token key. Additionally, the token identifier may identify the key (which may include a version number of the token), as well as a token sanity value for ensuring that the token is accurately generated.”).
Motivation statement same as claim 11.

Referring to claim 16, (EIDSON-BAILEY) suggests the limitations and motivation of claim 14 as discussed above.
Wherein, BAILEY teaches apparatus of claim 14, wherein the instructions, when executed by the one or more processors cause the apparatus to store the re-tokenized validated file at a remote data store. (BAILEY, (par. [0030], FIG. 2) “FIG. 2 depicts a computing architecture for tokenizing sensitive data, according to embodiments disclosed herein. In the illustrated embodiment, the tokenization computing device 104 includes at least one processor 230, input/output hardware 232, network interface hardware 234, a data storage component 236 (which includes token data 238 a, token ID data 238 b, and/or other data), and the memory component 140.”), (BAILEY, (par. [0034], FIG. 3) “At block 340, the token and token ID may be sent to the vendor.”), (BAILEY, (par. [0020]) “The tokenization computing device can detokenize the token, based on the token generation identified in the token identifier. Upon detokenization, the tokenization computing device can verify that the correct card number was determined by decryption of the sanity value in the token identifier. The tokenization computing device can then encrypt the card number and send the encrypted card number to the vendor.”), (BAILEY, (par. [0021]) “the tokenization computing device can re-tokenize the token. The re-tokenization can be simply to update the generation and/or to utilize a different tokenization mechanism. Regardless, once the token has been updated, the token identifier may be also updated to reflect this change in the token, as well as to create a sanity value for verification. The updated tokens and token identifiers may then be sent to the vendor.”).

Referring to claim 17, EIDSON teaches a non-transitory computer readable medium storing computer instruction that, when executed by one or more processors, cause the processors to:
receive a request to access data stored in a tokenized file, the tokenized file being arranged in a format and comprising a plurality of records, each record comprising one or more fields (EIDSON, (par. [0165]) “FIG. 11A is a block diagram illustrating an electronic device 1100 according to some example implementations. FIG. 5A includes hardware 1120 comprising a set of one or more processor(s) 1122, a set of one or more network interfaces 1124 (wireless and/or wired), and non-transitory machine- readable storage media 1126 having stored therein software 1128 (which includes instructions executable by the set of one or more processor(s) 1122). Each of the previously described end user clients and the tokenizer 110, and the log record consumers 140 may be implemented in one or more electronic devices 1100.”), (EIDSON, (par. [0068]), FIG. 3B) “In the illustrated example of FIG. 3B, each use case 141F and 141E uses a tokenized log record 144C.F and 144C.E”, (par. [0068]) “Each one of the viewer access right 125A and 125B determines for a given user of the use case 141F and 141G the access to the tokenized log records. The user can be an actual person using the use cases, a group defined in the use case, or alternatively the use case itself”), (EIDSON, (par. [0069]), FIG. 3B) “In addition, in one implementation, for each field of the log record in the viewer access right 125-U, a space ID is identified indicating in which space the tokenized field is to be accessed. In this implementation, two or more fields in a record type can be associated with a same spaceID. For example, the use case 141F is operative to access the tokenized log record 144C.F where the third field of the log record and the last field of the log record are tokenized in the same space identified by space ID 121A.”);
determine a schema associated with the tokenized file (EIDSON, (par. [0031]) “the term “Personal Data” can be defined as any information relating to an identified or identifiable person. The personal data can include a name of a person (the person being the user of the application or a person related to the user of the application), contact information of a person (such as a physical or email address of the person or a telephone number of the person), a user identifier (referred herein as UserID) uniquely identifying a user of an application, an IP address associated with a device used by the user to access the application, or any other information that is related to the person which can be obtained or used by an application and logged in a raw log record. In some implementations, a distinction can be made between personal data that uniquely identifies the user (such as the name of the person) or renders the user identifiable (such as a user identifier) and user traceable data.”), wherein the schema identifies which of the one or more fields of each record contains tokenized data (EIDSON, (par. [0039]) “when using the tokenized log records a use case is only aware of the space in which each field is tokenized. In other implementations, when using the tokenized log records a use case is aware of the space and the tokenization mechanism used for tokenizing the data. For example, when a use case acts as a definer of a log record type in the app log definitions 112, the use case is aware of which strategy is to be applied to a field”);
extract instances of tokenized data from the one or more fields in the file by identifying the instances of tokenized data using the determined schema (EIDSON, (par. [0041]) “each of the log record types 114A-K is a schema and a set of attributes (e.g., type of data, tokenization strategy, etc.). A tokenization mechanism is a process for determination of a token for a raw value where the token is an anonymized representation of the raw value. Tokenization of a value enables consumers of the data (e.g., log record consumers 140) to use the data for multiple purposes (e.g., debugging, security, analytics, etc.) while having a regulated access to sensitive data (e.g., personal data and/or user traceable data”), (EIDSON, (par. [0059]) “The characteristics of a space (that is identified with a respective space ID) determines what a use case is allowed to see from a log record (what is raw vs tokenized), it may define a time period within which the use case can detokenize a tokenized field of a tokenized log record (e.g., the detokenization can be allowed for a time period, always allowed, always allowed prior to user requesting to be forgotten).”), (EIDSON, (par. [0045], FIG. 1B) “The tokenized log record generator 120 includes one or more tokenization mechanisms 122A-P. Each of the tokenization mechanism 122A-P is operative to receive raw log records 152 and process them based on the log record types 114A-K to obtain tokenized log records (e.g., 144B.A-144B.B) to be stored/processed by the log record consumers 140. In some implementations, in addition to the log record types 114A-K, the tokenization mechanisms 122A-P may further consider the space IDs 121 when processing the raw log records 152. While the implementations will be described with reference to the exemplary log record 144A and log record 144B of type 114A and 114B respectively, other types of records can be contemplated.”);
send instances of tokenized data to a decryption system, wherein the decryption system is configured to decrypt the tokens (EIDSON, (par. [0046]) “the tokens The tokenization manager 130 enables users of the system to tokenize 134, detokenize 132, or forget 136 the data when proper access rights have been granted to the user”, (EIDSON, (par. [0105], FIG. 2B ) “the keys 128 to be used for encrypting the raw data or decrypting the tokenized data is stored in the data store 124. Alternatively, the keys can be stored in the tokenization mechanism 122A. In some implementation for each space identified with a space ID 121, there are one or more keys that can be used for tokenization or detokenization.”);
receive decrypted sensitive values corresponding to the instances of tokenized data from the decryption system (EIDSON, (par. [0117]) “The tokenization manager 130 may use one or more other keys for encrypting or decrypting fields of records received during a time interval that precedes the time interval associated with the current key.”), (EIDSON, (par. [0059])  “The characteristics of a space (that is identified with a respective space ID) determines what a use case is allowed to see from a log record (what is raw vs tokenized), it may define a time period within which the use case can detokenize a tokenized field of a tokenized log record (e.g., the detokenization can be allowed for a time period, always allowed, always allowed prior to user requesting to be forgotten)”,  (EIDSON, (par. [0117], FIG. 1) “In some implementations , the key is kept as a previous key to enable the tokenization manager 130 to tokenize or detokenize data associated with previously tokenized records . The tokenization manager 130 may use one or more other keys for encrypting or decrypting fields of records received during a time interval that precedes the time interval associated with the current key.”);
(EIDSON, (par. [0046]) “Detokenization is the process of reversing the tokenization performed to generate a token to obtain the raw value from which the token was generated.”), (EIDSON, (par. [0059]) “it may define a time period within which the use case can detokenize a tokenized field of a tokenized log record (e.g., the detokenization can be allowed for a time period, always allowed, always allowed prior to user requesting to be forgotten)”), using the decrypted sensitive values in place of the instances of tokenized data(EIDSON, (par. [0131], FIG. 8A & 8B) “FIG. 8A illustrates a flow diagram of exemplary operations for detokenization of tokens based on time window cryptographic keys in accordance with some implementations. At operation 802, a request to detokenize a first token to retrieve the first raw value is received. For example, a request to detokenize the token XDX2 in tokenized log record 144D.B is received.”, Examiner Interpreted the detokenization process is done based on the steps in FIG. 8A and FIG. 8B);
However, EIDSON does not tech perform, based on a set of validation rules, a validation checks on the decrypted values generate a validated file, arranged in the format, by adding one or more fields to the de-tokenized file indicating the results of the validation check;
send the decrypted sensitive values to a remote token generator, the remote token generator comprising an encryption system configured to encrypt individual values as tokens;

generate a re-tokenized validated file by replacing decrypted sensitive values with tokenized values.
Wherein, BAILEY teaches perform, based on a set of validation rules, a validation checks on the decrypted values (BAILEY, (par. [0020]) “The tokenization computing device can detokenize the token, based on the token generation identified in the token identifier. Upon detokenization, the tokenization computing device can verify that the correct card number was determined by decryption of the sanity value in the token identifier.”);
generate a validated file, arranged in the format, by adding one or more fields to the de-tokenized file indicating the results of the validation check (BAILEY, (par. [0019]) “The tokenization computing device may additionally generate a token identifier. The token identifier is then linked to the token and is configured to provide token generation data, token version data, as well as a sanity value to ensure correctness of the token. The sanity value may be similar to a check value, depending on the embodiment. More specifically, the sanity value is calculated as a result of using clear data as input into a predetermined algorithm. This data is used to validate the result from a tokenization. When a mismatch between the sanity value and the tokenization occurs, this indicates that the detokenization process has failed.”, (BAILEY, (par. [0021]) “From this data, the tokenization computing device can determine the card number and verify this with the sanity value in the token identifier. Once the card number has been determined, the tokenization computing device can re-tokenize the token. The re-tokenization can be simply to update the generation and/or to utilize a different tokenization mechanism. Regardless, once the token has been updated, the token identifier may be also updated to reflect this change in the token, as well as to create a sanity value for verification”);
send the decrypted sensitive values to a remote token generator (BAILEY, (par. [0034], FIG. 3) “The received sensitive data may be encrypted, such that transmission of the sensitive data to the tokenization computing device 104 is at least somewhat secure. This may be referred to as a point-to-point or end-to-end encryption. At block 332, the received sensitive data may be decrypted.”), the remote token generator comprising an encryption system configured to encrypt individual values as tokens (BAILEY, (par. [0034], FIG. 3) “at block 338 a token and token ID may be generated.”);
receive tokens corresponding to the decrypted sensitive values from the remote token generator (BAILEY, (par. [0034], FIG. 3) “The token may then be generated, based on an algorithm that depends on the token key. Additionally, the token identifier may identify the key (which may include a version number of the token), as well as a token sanity value for ensuring that the token is accurately generated.”); and
generate a re-tokenized validated file by replacing decrypted sensitive values with tokenized values (BAILEY, (par. [0030], FIG. 2) “FIG. 2 depicts a computing architecture for tokenizing sensitive data, according to embodiments disclosed herein. In the illustrated embodiment, the tokenization computing device 104 includes at least one processor 230, input/output hardware 232, network interface hardware 234, a data storage component 236 (which includes token data 238 a, token ID data 238 b, and/or other data), and the memory component 140.”), (BAILEY, (par. [0020]) “The tokenization computing device can detokenize the token, based on the token generation identified in the token identifier. Upon detokenization, the tokenization computing device can verify that the correct card number was determined by decryption of the sanity value in the token identifier. The tokenization computing device can then encrypt the card number and send the encrypted card number to the vendor.”), (BAILEY, (par. [0021]) “the tokenization computing device can re-tokenize the token. The re-tokenization can be simply to update the generation and/or to utilize a different tokenization mechanism. Regardless, once the token has been updated, the token identifier may be also updated to reflect this change in the token, as well as to create a sanity value for verification. The updated tokens and token identifiers may then be sent to the vendor.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified EIDSON to incorporate the teaching of BAILEY to utilize the above feature, with the motivation of validation check on the decrypted values is performed using a set of validation criteria. generate a validated file in the format by adding one or more fields to the de-tokenized file reflecting the validation check results. Send the decrypted sensitive data to a remote token generator, which includes an encryption system capable of encrypting individual values as tokens. get tokens from the remote token generator according to the decrypted sensitive values build a verified file that has been re-tokenized by replacing decrypted sensitive entries with tokenized values to provide a validation indicator for the de-tokenized file and assure the token is accurately generated as recognized by (BAILEY [0021]).

Referring to claim 18, (EIDSON-BAILEY) suggests the limitations and motivation of claim 17 as discussed above.
(BAILEY, (par. [0030], FIG. 2) “FIG. 2 depicts a computing architecture for tokenizing sensitive data, according to embodiments disclosed herein. In the illustrated embodiment, the tokenization computing device 104 includes at least one processor 230, input/output hardware 232, network interface hardware 234, a data storage component 236 (which includes token data 238 a, token ID data 238 b, and/or other data), and the memory component 140.”), (BAILEY, (par. [0034], FIG. 3) “At block 340, the token and token ID may be sent to the vendor.”), (BAILEY, (par. [0020]) “The tokenization computing device can detokenize the token, based on the token generation identified in the token identifier. Upon detokenization, the tokenization computing device can verify that the correct card number was determined by decryption of the sanity value in the token identifier. The tokenization computing device can then encrypt the card number and send the encrypted card number to the vendor.”), (BAILEY, (par. [0021]) “the tokenization computing device can re-tokenize the token. The re-tokenization can be simply to update the generation and/or to utilize a different tokenization mechanism. Regardless, once the token has been updated, the token identifier may be also updated to reflect this change in the token, as well as to create a sanity value for verification. The updated tokens and token identifiers may then be sent to the vendor.”).
Motivation statement same as claim 17.


Wherein, BAILEY teaches the non-transitory computer readable medium of claim 18, wherein the remote data store is cloud-based.  (BAILEY, (par. [0020]) “The tokenization computing device can detokenize the token, based on the token generation identified in the token identifier. Upon detokenization, the tokenization computing device can verify that the correct card number was determined by decryption of the sanity value in the token identifier. The tokenization computing device can then encrypt the card number and send the encrypted card number to the vendor.”), (BAILEY, (par. [0021]) “the tokenization computing device can re-tokenize the token. The re-tokenization can be simply to update the generation and/or to utilize a different tokenization mechanism. Regardless, once the token has been updated, the token identifier may be also updated to reflect this change in the token, as well as to create a sanity value for verification. The updated tokens and token identifiers may then be sent to the vendor.”).  (BAILEY, (par. [0028], FIG. 1) “Depending on the particular embodiment, each of the computing devices 102-104 may represent a plurality of computers, servers, databases, etc.”).
Motivation statement same as claim 17.

Referring to claim 20, (EIDSON-BAILEY) suggests the limitations and motivation of claim 17 as discussed above.
(EIDSON, (par. [0046]) “Tokenization is the process of generating from a raw value a token that is an anonymized representation of the raw value such that when the token used no information can be obtained on the original raw data. Detokenization is the process of reversing the tokenization performed to generate a token to obtain the raw value from which the token was generated”).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
KUMMICK et al. (US- 20160267466-A1, KUMMICK referred to as " KUMMICK”) suggests (par. [0099]) “processing network 510 may de-tokenize first transaction token 204A and replace it with real account information of the user in the authorization request message. This enables authorization computer 512 to identify the user's account to utilize for the transaction.”).
Any inquiry concerning this communication or earlier communications from the
examiner should be directed to AHMED HUMADI whose telephone number is (571)272-2066.
The examiner can normally be reached (7:30 am - 4:00 pm) Monday to Thursday.

http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s
supervisor, Eleni Shiferaw, can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be
obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/AHMED HUMADI/Examiner, Art Unit 2497                                                                                                                                                                                                  /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497