Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
This is first office action on the merits in response to the application filed on 02/16/2022.
Claims 1-30 are currently pending and subject to a restriction requirement.
Applicant elected Group I (Claims 1-25) and Claims 1-25 have been examined.
Claims 26-30 have been withdrawn from further consideration by the examiner, 37 CFR 1.142(b), as being drawn to a non-elected invention.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/26/2019, 11/04/2020, and 02/28/2022 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner.

Claim Objections
Claims 4 and 14 objected to because of the following informalities:  
Claim 4, line 1 states: “The method of claim 4.” Examiner is examining the claim as if claim 4 depended from claim 1.  
Claim 14, line 1 states: “The method of claim 14.” Examiner is examining the claim as if claim 14 depended from claim 11.
Appropriate correction is required.

Claim Interpretation 112(f)
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: 
receiving, at a commerce platform, a transaction request from the merchant system; decrypting, by the commerce platform, the encrypted payment card data using an encryption key selected based on the card identifier; authorizing, by the commerce platform in communication with one or more authorization systems, the transaction using the decrypted payment card data; and in response to the one or more authorization systems authorizing the transaction, the commerce platform returning a transaction authorization for the transaction request to the merchant system in claims 1 and 11; This element is interpreted under 112(f) as the data processing system illustrated in Figure 6 that includes a bus or other internal communication means 615 for communicating information, and a processor 610 coupled to the bus 615 for processing information. The system further comprises a random access memory (RAM) or other volatile storage device 650 (referred to as memory), coupled to bus 615 for storing information and instructions to 
distributing, by the commerce platform, a software development kit (SDK) for development of a merchant applicationSMRH:4841-3214-2299.1-4-50GL-279138Application No.: 16/247,346 in claims 2, 12, and 22; This element is interpreted under 112(f) as the data processing system defined above for claims 1 and 11.
generating, by the commerce platform, first private key public key pairs; storing, in a key vault of the commerce platform, private encryption keys form the first private key public key pairs generated by the commerce platform; and providing, by the commerce platform to the merchant system, at least one public encryption key form the first private key public key pairs for merchant systemSMRH:4841-3214-2299.1-4-50GL-279138Application No.: 16/247,346 in claims 5, 15, and 23; This element is interpreted under 112(f) as the data processing system defined above for claims 1 and 11.
 distributing, by the commerce platform to the merchant system, a set of cryptographic salts for use by the SDK during card not present transactions with customersSMRH:4841-3214-2299.1-4-50GL-279138Application No.: 16/247,346 in claims 8, 18, and 24; This 
in response to the receipt of the transaction request from the merchant system, the commerce platform generating a token, wherein the token comprises a unique identifier for the transaction associated with the transaction request; and providing, by the commerce system to the merchant system, the token prior to performing the authorizationSMRH:4841-3214-2299.1-4-50GL-279138Application No.: 16/247,346 in claims 9, 19, and 25; This element is interpreted under 112(f) as the data processing system defined above for claims 1 and 11.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. Therefore, by choosing to use a means-plus-function limitation and invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant limits that claim limitation to the disclosed structure, i.e., implementation by hardware or the combination of hardware and software, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 7-8, 11, 17-18, 21, and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Cacioppo (US 20150310425) in view of McGuire (US 20100257612).

Regarding Claims 1, 11, and 21, Cacioppo teaches receiving, at a commerce platform, a transaction request from the merchant system, wherein the transaction request is generated by the merchant system and comprises a card identifier and encrypted payment card data (Paragraphs  then generates a temporary pseudo-PAN at least based on an encryption salt; when the pseudo-PAN is generated (as depicted in the example of FIG. 4), the first six digits of the PAN, or the routing segment are preserved in the pseudo-PAN (“5555 6612 3456 7895), while the remainder of the pseudo-PAN is encrypted; after the pseudo-PAN is generated, the consumer's computing device presents the pseudo-PAN to the merchant; the merchant captures the pseudo-PAN and stores the pseudo-PAN then transmits an authorization request), wherein the card identifier is determined from card data for a payment card used in the transaction and the encrypted payment card data comprises at least an encryption of a payment account number generated by a computing device upon ingestion of the card data system (Paragraphs 0011 and 0037 teach when a consumer attempts to complete a payment transaction, payment information specific to the consumer (e.g., a primary account number (PAN)), may be masked by generating a one-time token, which is then used during certain segments of the transaction from a consumer to a merchant; the consumer is registered to the payment service, whereby the appropriate consumer-specific data is received and stored by the payment service; decrypting, by the commerce platform, the encrypted payment card data using an encryption key selected based on the card identifier, the encryption key associated with the commerce platform (Paragraphs 0032 and 0037 teach upon receipt of the authorization request, the payment service decrypts the pseudo-PAN, by use of the same encryption algorithm used by the consumer's computing device and the most recently generated salt; when the payment service receives a one-time token based on consumer-specific data, the payment service receives an indication of not only a one-time token, but also an identification of the consumer, so that the payment service may decrypt the one-time token based on their consumer-specific data and the salt, as described above); authorizing, by the commerce platform in communication with one or more authorization systems, the transaction using the decrypted payment card data (Paragraphs 0032-0033 teach the payment service then searches in memory for the decrypted PAN, and then passes the authorization request to the issuer; the payment service will further modify the authorization request to include the decrypted payment information, prior to passing the authorization request to the issuer); and in response to the one or more authorization systems authorizing the transaction, the commerce platform returning a transaction authorization for the transaction request to the merchant system (Paragraph 0035 teaches in response to the authorization request, the issuer responds to the request, and in turn, the payment service receives the reply to the authorization request; the payment service 
However, Cacioppo does not explicitly teach wherein the card identifier is determined from card data for a payment card used in the transaction and the encrypted payment card data comprises at least an encryption of a payment account number generated by the merchant system upon ingestion of the card data by the merchant system.
McGuire from same or similar field of endeavor teaches wherein the card identifier is determined from card data for a payment card used in the transaction and the encrypted payment card data comprises at least an encryption of a payment account number generated by the merchant system upon ingestion of the card data by the merchant system (Paragraphs 0033 and 0030 teach a token application (i.e., works with the web store (i.e., online merchant) to make a purchase) encrypts payment-card numbers as they are received and generates tokens corresponding to those payment-card numbers; a part of the token might contain part of the payment-card number, e.g., Such that the payment card type and the last four digits of the card are actually part of the token itself, to assist customers and customer-service representatives in confirming or identifying, generally, the card corresponding to the token).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Cacioppo, which teaches receiving encrypted card data from a merchant and decrypting and authorizing the card data to authorize a transaction to incorporate the teachings of McGuire for the card identifier to be determined from card data for a payment card 
There is motivation to combine McGuire into Cacioppo because under the PCI Data-Security Standard (DSS) and the related PCI Security-Audit Procedures, merchants are required to document their compliance with the DSS (McGuire Paragraph 0006). The payment-processing system employs three “in-scope” network segments, or zones, for PCI purposes: (i) a web-server zone including web store, (ii) a customer-service zone including input module, and (iii) a PCI server zone including tokenizer and payment-card middleware. Achieving and maintaining PCI compliance using these three well-defined and limited network segments and their corresponding functionality can be considerably simpler and more manageable to implement than remediating or modifying large sections of a corporate network (McGuire Paragraph 0031).
Regarding Claim 1, Cacioppo teaches a method for processing a transaction between a merchant system and a customer system, the customer system associated with a customer of the merchant (Paragraph 0024 teaches FIG. 3 illustrates an exemplary method of processing a payment transaction by a one-time token).
Regarding Claim 11, Cacioppo teaches a non-transitory computer readable storage medium including instructions that, when executed by a processor, cause the processor to perform operations for processing a transaction between a merchant system and a customer system, the customer system associated with a customer of the merchant (Paragraph 
Regarding Claim 21, Cacioppo teaches a commerce platform, comprising: a memory; and a processor coupled with the memory configured to perform operations (Paragraphs 0016-0018 teach each the payment service may be implemented in a computing device, which may include a single computing device or multiple computing devices located together such as  servers; the exemplary computing device includes a memory and a processor that is coupled to memory; the processor may include one or more processing units; the memory may store computer-executable instructions for execution by the processor to cause the processor to perform one or more of the functions described herein).

Regarding Claims 7 and 17, the combination of Cacioppo and McGuire teaches all the limitations of Claims 1 and 11 above; however, the combination does not explicitly teach wherein the card identifier is a deterministic identifier generated by the merchant system to identify the payment card used for the transaction with the customer.
wherein the card identifier is a deterministic identifier generated by the merchant system to identify the payment card used for the transaction with the customer (Paragraph 0033 teaches a token application encrypts payment-card numbers as they are received and generates tokens corresponding to those payment-card numbers; a part of the token might contain part of the payment-card number, e.g., Such that the payment card type and the last four digits of the card are actually part of the token itself, to assist customers and customer-service representatives in confirming or identifying, generally, the card corresponding to the token; for example, a payment-card number having a value of “371449635398183” might have a corresponding token with a value of “37-Nc4×WKms-8183,” where (i) the first two digits, “37,” identify the card as being of type American Express, (ii) the middle portion of the token is a randomly-generated alphanumeric string, and (iii) the last four digits, “8183,” are usable to confirm the card number with the cardholder).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Cacioppo and McGuire to further incorporate the teachings of McGuire for the card identifier to be a deterministic identifier generated by the merchant system to identify the payment card used for the transaction with the customer.
There is motivation to further combine McGuire into the combination of Cacioppo and McGuire because of the same reasons listed above for claims 1 and 11.

Regarding Claims 8, 18, and 24, the combination of Cacioppo and McGuire teaches all the limitations of Claims 7, 17, and 21 above; and Cacioppo further distributing, by the commerce platform to the merchant system, a set of cryptographic salts for use by the SDK during card not present transactions with customers (Paragraph 0022 teaches each computing device associated with the consumer and the payment service, through execution of program instructions by the processor, generates encryption salts; the salt is generally a randomly generated number, and synchronized between the consumer computing device and the payment service computing device); and receiving the deterministic identifier as the card identifier, wherein the deterministic identifier is generated by the SDK executing within the merchant application during a card not present transaction by the SDK: selecting a cryptographic salt from the set of cryptographic salts based on the card data, and performing at least one hashing function on the selected cryptographic salt and the card data to obtain the deterministic identifier (Paragraph 0022 teaches the salt, in other embodiments, may be generated based on static data, including, for example, certain consumer-specific data).

Examiner Note: The phrase “for use by the SDK during card not present transactions with customers” does not have patentable weight as it states the intended use of the limitation “distributing, by the commerce platform to the merchant system, a set of cryptographic salts.”


Claims 2-3, 12-13, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Cacioppo (US 20150310425) in view of McGuire (US 20100257612) in further view of Goldfarb (US 20140372320).

Regarding Claims 2, 12, and 22, the combination of Cacioppo and McGuire teaches all the limitations of claims 1, 11, and 21 above; however, the combination does not explicitly teach wherein prior to receiving the transaction request, the method further comprises: 16/523,456210142P026distributing, by the commerce platform, a software development kit (SDK) for development of a merchant application that enables card not present transaction processing by the commerce platform on behalf of the merchant system using card data of the customer, wherein the card data is encrypted by the SDK upon receipt of the card data by the merchant application and not stored or accessible in unencrypted form to the merchant system.
Goldfarb from same or similar field of endeavor teaches wherein prior to receiving the transaction request, the method further comprises: 16/523,456210142P026distributing, by the commerce platform, a software development kit (SDK) for development of a merchant application that enables card not present transaction processing by the commerce platform on behalf of the merchant system using card data of the customer (Paragraphs 0023-0024 and 0026 teach a third party application may be modified by software development kit (SDK) provided by payment provider so that third party application integrates functions that allow it to provide services from payment provider that can facilitate transactions and payments between consumer and merchant; a software wherein the card data is encrypted by the SDK upon receipt of the card data by the merchant application and not stored or accessible in unencrypted form to the merchant system (Paragraphs 0022 and 0024 teach the third party application may take the card data, which may be encrypted, and transmit it to back-end servers, such as the payment provider server, which in turn may communicate with payment networks to complete the transaction; in order for merchant to accept chip and PIN payments, the merchant is typically required to certify the merchant's transaction processing from end to end—e.g., from reading card data to processing the transaction by payment provider server and communicating with the payment networks—with the schemes such as Visa® and MasterCard®; the SDK may create an abstraction layer for modification of the third party's own app that allows the merchant to include in POS system all the functionality that needs to be certified in the SDK and certify the functionality once as being of the payment provider).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Cacioppo and McGuire to incorporate the teachings of Goldfarb for prior to receiving the transaction request, the method to further comprise: 16/523,456210142P026distributing, by the commerce platform, a software development kit (SDK) for development of a merchant application that enables card not present transaction 
There is motivation to combine Goldfarb into the combination of Cacioppo and McGuire because methods and systems are provided to enable a payment provider's system to be integrated into the merchant's POS system, for example, by modifying the merchant's POS system using an SDK. For example, account records can be imported and consolidated from the merchant's POS system into the modified POS system, and the merchant's POS system can be adapted to drive the payment provider device (e.g., card reader) without the merchant having to use an app of the payment provider in order to use the payment provider device (Goldfarb Paragraph 0018). The SDK may effectively provide a way for the merchant to use the certification of the SDK in the POS system without “breaking” the certification yet retain the flexibility to use the merchant's own app (POS system) (Goldfarb Paragraph 0024).

Regarding Claims 3 and 13, the combination of Cacioppo, McGuire, and Goldfarb teaches all the limitations of claims 2 and 12 above; however, the combination does not explicitly teach wherein the merchant application comprises one of a web-based application distributed over a network by the merchant system or an application executable on a mobile device associated with the merchant.
wherein the merchant application comprises one of a web-based application distributed over a network by the merchant system or an application executable on a mobile device associated with the merchant (Paragraph 0050 teaches a web store includes one or more computers containing an application used by an end user (e.g., a consumer making a purchase from an online web merchant) to purchase one or more goods and/or services; during the payment portion of a purchase transaction, the web store employs an application-programming interface (API) to transmit a payment-card number to tokenizer, which returns a token for web store to send to application module along with other transaction data).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Cacioppo and McGuire to further incorporate the teachings of McGuire for the merchant application to comprise one of a web-based application distributed over a network by the merchant system or an application executable on a mobile device associated with the merchant.
There is motivation to further combine McGuire into the combination of Cacioppo and McGuire because whether payment-card data is entered through web store or through input module, by tokenizing before capture, tokenizer protects and isolates cardholder data by providing tokens for downstream processing, which prevents application module from being subject to regulatory scrutiny (McGuire Paragraph 0030).

Claims 4-6, 10, 14-16, 20, and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Cacioppo (US 20150310425) in view of McGuire (US 20100257612) in further view of Wall (US 20180109508).

Regarding Claims 4 and 14, the combination of Cacioppo and McGuire teaches all the limitations of claims 1 and 11 above; however, the combination does not explicitly teach wherein the selected encryption key is a private encryption key known to the commerce platform, and wherein the merchant system encrypts payment card data using an asymmetric public encryption key corresponding to the private encryption key.
Wall from same or similar field of endeavor teaches wherein the selected encryption key is a private encryption key known to the commerce platform, and wherein the merchant system encrypts payment card data using an asymmetric public encryption key corresponding to the private encryption key (Paragraph 0078 teaches during a transaction, the device encrypts transaction data and card data with the merchant public key and sends the encrypted data to the processing center; the processing center decrypts the encrypted information with the merchant's private key; the first time a transaction is received from the device of a newly registered Merchant 1, the merchant RES′ and associated KEKR are retrieved from the database by the processing device, based on the merchant ID received with the transaction).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Cacioppo and McGuire to incorporate the teachings of Wall for the 
There is motivation to combine Wall into the combination of Cacioppo and McGuire because a unique merchant ID and other credentials are also generated, as is known in the art, and sent to the Merchant 1. Terminal IDs are used by the processing center to determine the device that sent the encrypted HTTPS envelope requesting approval/denial of the payment so that the approval or denial can be sent back to the proper terminal (Wall Paragraph 0071).

Regarding Claims 5, 15, and 23, the combination of Cacioppo and McGuire teaches all the limitations of claims 1, 11, and 21 above; however, the combination does not explicitly teach wherein prior to receiving the transaction request, the method further comprises: generating, by the commerce platform, first private key public key pairs; storing, in a key vault of the commerce platform, private encryption keys form the first private key public key pairs generated by the commerce platform; and providing, by the commerce platform to the merchant system, at least one public encryption key form the first private key public key pairs for merchant system use during card not present transactions with customers.
Wall from same or similar field of endeavor teaches wherein prior to receiving the transaction request, the method further comprises: generating, by the commerce platform, first private key public key pairs (Paragraph 0070 teaches the processing center generates a public/private key pair storing, in a key vault of the commerce platform, private encryption keys form the first private key public key pairs generated by the commerce platform (Paragraph 0075 teaches to securely store the merchant private key, the private key is treated as an RES that is sent to the KMS for encryption, via the applications server; the KMS may encrypt the merchant private key with the KEK that has been generated by the KMS for the processing center; the encrypted merchant private key, also referred to as a merchant region encrypted secret (“merchant RES′”), is returned to the processing center); and providing, by the commerce platform to the merchant system, at least one public encryption key form the first private key public key pairs (Paragraphs 0072-0074 teach the merchant logs into the website of the processing center, authenticates itself using the merchant ID and credentials previously assigned by the processing center, and requests the Payment App from the processing center; if the Merchant 1 is authenticated, the Payment App, which includes a Certificate of the processing center, is downloaded to the merchant device; after the Payment App is downloaded to a respective PIN pad terminal, the PIN pad terminal requests the merchant public key; the public key and signed certificate are downloaded to the PIN pad terminal, which confirms that the public key has been received by a trusted source, by comparing the certificate provided in with the Payment App to the Certificate received with the public key; the public key, Payment App, and Merchant ID may be downloaded to the device via the network, in secure HTTPS envelopes).

There is motivation to combine Wall into the combination of Cacioppo and McGuire because a merchant private key assigned to respective merchants, a “blob” of salts used in card encryption, and AES keys used in card encryption. The merchant private key is used to decrypt data encrypted by the PIN pad terminal based on the associated merchant public key. The salts and AES keys are used in the encryption of the card number (or personal account number) and the card data, respectively, as discussed further below. In this embodiment, the card number and card data themselves are not encrypted by the KMS (Wall Paragraph 0068).

Examiner Note: The phrase “for merchant system use during card not present transactions with customers” does not have patentable weight as it states the intended use of the limitation “providing, by the commerce platform to the merchant system, at least one public encryption key form the first private key public key pairs.”

Regarding Claims 6 and 16, the combination of Cacioppo, McGuire, and Wall teaches all the limitations of claims 5 and 15 above; however, the combination does not explicitly teach periodically generating second private key public key pairs; storing private keys from the generated second private key public key pairs in a key vault of the commerce platform; distributing one or more public encryption keys form the generated second private key public key pairs to the merchant system; and expiring one or more private keys from first private key public key pairs generated prior the second private key public key pairs.
Wall further teaches periodically generating second private key public key pairs (Paragraph 0080 teaches periodically generating a new public/private key pairs by the processing device as described with respect to Step 420 of FIG. 6); storing private keys from the generated second private key public key pairs in a key vault of the commerce platform (Paragraph 0080 teaches the new merchant private key is sent to the KMS for encryption, the encrypted merchant RES′ is received by the processing device, and the new merchant RES′ is stored in the secure database); distributing one or more public encryption keys form the generated second private key public key pairs to the merchant system (Paragraph 0080 teaches the new public key is sent to the device, as described in Step 450 of FIG. 6); and expiring one or more private keys from first private key public key pairs generated prior the second private key public key pairs (Paragraph 0080 teaches the prior merchant RES′ is deleted from the secure database).

There is motivation to further combine Wall into the combination of Cacioppo, McGuire, and Wall because security is further improved by periodically generating a new public/private key pairs (Wall Paragraph 0080).

Regarding Claims 10 and 20, the combination of Cacioppo and McGuire teaches all the limitations of Claims 1 and 11 above; however, the combination does not explicitly teach wherein communications exchanged between the merchant system and the commerce platform are secured using encrypted communications links.
Wall from same or similar field of endeavor teaches wherein communications exchanged between the merchant system and the commerce platform are secured using encrypted communications links (Paragraphs 0052-0053 teach authorization is requested in an encrypted, HTTPS envelope that is sent to the respective payment processor via the network; after validation, the payment processor routes the data to the card brand of the card, 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Cacioppo and McGuire to incorporate the teachings of Wall for communications exchanged between the merchant system and the commerce platform to be secured using encrypted communications links.
There is motivation to combine Wall into the combination of Cacioppo and McGuire because using secured encrypted communications links to transmit sensitive information improves security.

Claims 9, 19, and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Cacioppo (US 20150310425) in view of McGuire (US 20100257612) in further view of Beye (US 20190259026).

Regarding Claims 9, 19, and 25, the combination of Cacioppo and McGuire teaches all the limitations of Claims 1, 11, and 21; however, the combination does not explicitly teach in response to the receipt of the transaction request from the merchant system, the commerce platform generating a token, wherein the token comprises a unique identifier for the transaction associated with the transaction request; providing, by the commerce system to the merchant system, the token prior to performing the authorization; and returning the transaction authorization for the transaction request to the merchant system by reference to the token.
Beye from same or similar field of endeavor teaches in response to the receipt of the transaction request from the merchant system, the commerce platform generating a token, wherein the token comprises a unique identifier for the transaction associated with the transaction request (Paragraphs 0055 and 0059 teach a request or demand for event processing may be generated that includes an amount associated with the event, a first unique identifier associated with the event, instructions for transmitting funds to an account of the vendor, and the like; a single-use event processing token may be generated for use in processing the event that includes an anonymous event processing source from which to transfer funds to the vendor account; the single-use event processing token may also include mapping data mapping the anonymous event processing source to a user event processing source); providing, by the commerce system to the merchant system, the token prior to performing the authorization (Paragraphs 0060-0061 teach the single-use event processing token may be transmitted to the client computing device; the single-use event processing token may be received by the client computing device and transmitted to the vendor computing system; the single-use event processing token may be received by the vendor computing system and may be used to process the requested event); and returning the transaction authorization for the transaction request to the merchant system by reference to the token (Paragraphs 0061 and 0064 teach processing the requested event may include generating an instruction to process the event based 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Cacioppo and McGuire to incorporate the teachings of Beye to in response to the receipt of the transaction request from the merchant system, the commerce platform generating a token, wherein the token comprises a unique identifier for the transaction associated with the transaction request; providing, by the commerce system to the merchant system, the token prior to performing the authorization; and returning the transaction authorization for the transaction request to the merchant system by reference to the token.
There is motivation to combine Beye into the combination of Cacioppo and McGuire because a user may request to process an event (e.g., payment for goods or services) and may transmit a request to an event processing computing platform. the single-use token will include information for processing the event, such as an anonymous source from which the event may be processed. The single-use token may include no information identifying a user, event processing source of .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Lakshmanan et al. (US 20150310431) a payment system implemented on a mobile device authenticates transactions made via the mobile device. The mobile device generates a public-private key pair and receives an authenticating input from a user of the device. The public key is sent to a secure payment system, and the authenticating input is used to generate a symmetric key that encrypts the private key. After a transaction is initiated, the mobile device receives an authenticating input from the user. The symmetric key is generated from the authenticating input and the mobile device attempts to decrypt the private key from the encrypted private key using the symmetric key generated by the user's input. The decrypted key is used to sign a transaction authorization message which is sent to the secure payment system, along with payment information, which can verify the signed message via the public key. Additional techniques related to secure payments are also disclosed.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY JONES whose telephone number is (469) 295-9137.  The examiner can normally be reached on 7:30 am - 4:30 pm CST (M-Th).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached at (571) 270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/COURTNEY P JONES/
Examiner, Art Unit 3685