Detailed Action
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
1.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on January 3, 2022 has been entered.
 
Status of Claims
2.	Claims 2, 9, and 16 are cancelled
3.	Claims 1, 3, 4, 8, 10, 11, 15, 17, and 18 are amended
4. 	Claims 1, 3-8, 10-15, and 17-20 are pending

Claim Rejections - 35 USC § 112

5. 	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



s 1, 3-8, 10-15, and 17-20   are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
7.	In claims 1, 8, and 15 recite “a portion of the information about the user but does not include a sufficient amount of the information” are a relative term which, renders the claims indefinite. The terms are not defined by the claim. The specification does not cite ““a portion of the information about the user but does not include a sufficient amount of the information” and it
does not provide a standard for ascertaining the measure or capacity of “a portion” and “sufficient amount (i.e., quantity or measure), and one of ordinary skill in the art would not be
reasonably apprised of the scope of the invention.
8.	In claim 1, 8, and 15, recite “improve security of the payment credentials that the user attempted to store in memory of the merchant device” and “further improve security of the payment credentials that the user attempted to store in memory of the merchant device”. The limitations, respectively, which are intended results of process steps positively recited and are not given any patentable weight. The claims as recite failed to provide clear-cut indication of claim scope because the intended use language as recited is not precise and definite resulting in no boundaries on the claim limitation. Therefore, the terms are indefinite. (Examiner note: the claim functional language is mere statement of purpose and intended result that is “non-limiting”. The claim functional language does not result in a manipulative difference in the steps of the claim.(essence of the invention)) 
9.	Claims 3-7, 10-14, and 17-20 are dependent on claims 1, 8, and 15 respectively
10.	Appropriate action is required. 

Claim Rejections - 35 USC § 101
11.	35 U.S.C. 101 reads as follows:



12.	Claims 1, 3-8, 10-15, and 17-20 are rejected under 35 U.S.C. § 101 because the claimed invention is directed to non-statutory subject matter. Based upon consideration of all of the relevant factors with respect to the claims as a whole, claims 1, 3-8, 10-15, and 17-20 are held to claim an unpatentable abstract idea, and are therefore rejected as ineligible subject matter under 35 U.S.C. § 101.
13.	Therefore, claims 1, 3-8, 10-15, and 17-20 were analyzed for U.S.C. 101 as follows:
14.	Claims 1, 3-7 are directed to an apparatus, claims 8, 10-14 are directed to a method, and claims 15, 17-20 are directed to a system.  Claims 1, 3-8, 10-15, and 17-20 fall within one of the four statutory categories of invention. (Step 1: Yes)
15.	In claim 1, corresponding representative claims 8 and 15, the limitations that define an abstract idea (in bold) are below (claim 1 is shown below as a representative):

An credential security apparatus comprising: a memory; and a hardware processor communicatively coupled to the memory, the hardware processor configured to: 
receive, from a merchant, customer data comprising information about a user, the information about the user communicated in response to the user attempting to store payment credentials in memory of a merchant device associated with the merchant; 
send a widget to a device of the user;
after sending the widget to the device of the user, receive an authentication confirmation indicating that the user is authenticated to use the payment credentials, wherein the authentication confirmation is provided through user interaction with the widget at the device of the user;
determine, authenticate the user using the authentication information; that the user is authenticated; and 
after receiving the authentication confirmation indicating that the user is authenticated, generate an authorization token, wherein the authorization token includes a portion of the information about the user but does not include a sufficient amount of the information about the user to determine an identity of the user;
improve security of the payment credentials that the user attempted to store in memory of the merchant device by sending the authorization token to the merchant without storing the payment credentials in memory of the merchant device; 
after sending the authorization token to the merchant, receive the authorization token from the merchant; 
after receiving the authorization token, generate an access token, the access token configured to establish a session with the merchant; 
send the access token to the merchant; receive, from the merchant, the access token; validate the received access token; 
after validating the received access token: generate a masked payment card, the masked payment card comprising temporary payment credentials different than the payment credentials that the user attempted to store in memory of the merchant device; 
establish the session with the merchant using the received access token; and 
further improve security of the payment credentials that the user attempted to store in memory of the merchant device by sending the masked card to the merchant without storing the payment credentials in memory of the merchant device
16.	In claim 1, corresponding representative claims 8 and 15, are steps for receiving, identifying, sending, communicating, and authenticating financial data to process a payment transaction using masked credentials for securing online transactions. The above steps are providing a user masked credentials to process the payment transaction without storing the credentials with the merchant which are concepts that are in the grouping of Abstract ideas related to Certain Methods of Organizing specifically commercial or legal interactions (including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations) 
17.	Independent claim 1, corresponding representative claims 8 and 15, recite the additional components of “merchant device”, “device”, “memory”, “hard processor”, “credential security tool” and the additional element of the “access token”, “authorization token” and “widget”. The additional elements and additional components are no more than generally linking the use of the judicial exception to a particular technological for field of use. The mere nominal recitation of “widget”, “credential security tool”, “merchant device”, “hard processor” and “memory” does not take the claim limitation out of the abstract idea (i.e., a generic processor and memory performing a generic computer function of receiving, identifying, sending, and storing financial data for authentication of the user for processing a financial transaction). The limitations of after receiving the authentication confirmation indicating that the user is authenticated, generate an authorization token, wherein the authorization token includes a portion of the information about the user but does not include a sufficient amount of the information about the user to determine an identity of the user, improve security of the payment credentials that the user attempted to store in memory of the merchant device by sending the authorization token to the merchant without storing the payment credentials in memory of the merchant device, after sending the authorization token to the merchant, receive the authorization token from the merchant, after receiving the authorization token, generate an access token, the access token configured to establish a session with the merchant; send the access token to the merchant, receive, from the merchant, the access token; validate the received access token, after validating the received access token, establish the session with the merchant using the received access token. The limitations, other than reciting “authorization toke,” and “access token” suggesting a technological environment in which to implement or apply the abstract idea. The claims 1, corresponding representative claims 8 and 15, are directed to an abstract idea
18.	The interpretation of the computing components are consistent with applicant's specification which describes the components in broad terms:
Memory 114 may store, either permanently or temporarily, data, operational software, or other information for processor 112. Memory 114 may include any one or a combination of volatile or non-volatile local or remote devices suitable for storing information. For example, memory 1 14 may include random access memory (RAM), read only memory (ROM), magnetic storage devices, optical storage devices, or any other suitable information storage device or a combination of these devices. (Specification: Pg. 10 Lines 1-6)
Processor 112 is any electronic circuitry, including, but not limited to microprocessors, application specific integrated circuits (ASIC), application specific instruction set processor (ASIP), and/or state machines, that communicatively couples to memory 114 and controls the operation of credential security tool 110. Processor 112 may be 8-bit, 16-bit, 32-bit, 64-bit or of any other suitable architecture. Processor 112 may include an arithmetic logic unit (ALU) for performing arithmetic and logic operations, processor registers that supply operands to the ALU and store the results of ALU operations, and a control unit that fetches instructions from memory and executes them by directing the coordinated operations of the ALU, registers and other components. Processor 112 may include other hardware that operates software to control and process information. Processor 112 executes software stored on memory to perform any of the functions described herein. (Specification  Pg. 9 lines15-25)
Credential security tool 110 begins the enrollment function by receiving customer data 116. Customer data 116 may include information that identifies a user 102A and information that would identify a particular payment credential such as, for example, a card name and/or issuer name. Credential security tool 110 may use customer data 116 to identify a user 102A and/or a particular payment credential of user 102A. (Specification: Pg. 13, Lines 1-6)
19.	These additional elements and additional computing components amount to no more than generic computing components that do not contribute anything significant or meaningful to the claim other than, in combination, suggesting a technological environment in which to implement or apply the abstract idea. The combination of these additional elements is no more than linking the judicial exception to a particular technological environment or field of use and does not provide an inventive concept.
20.	Finally, taken together, the additional elements and no additional components of claim 1, corresponding representative claims 8 and 15, has been considered and are not ordered combinations as defined by the courts. These additional elements do not recite any improvements and do not integrate the abstract idea into a practical application. The claims 1, corresponding claims 8 and 15, are directed to an abstract idea without significantly more.
21.	Dependent claims 3-7, 10-14, and 17- 20 further recite limitations of wherein the masked payment card is exchanged for information for an actual payment card of the user, wherein the masked payment card is discarded after the masked payment card is used to facilitate a transaction by the user and wherein the information about the user is sent after the issuer is selected. Simply suggesting a technological environment (i.e. steps for sending and exchanging information to facilitate a payment transaction then discarding financial data (i.e. mitigate risk) upon which the abstract idea may be implemented does not alter or transform the abstract idea. The limitation of wherein the authorization token may be presented to initiate a transaction for the user, wherein the user selects an issuer of the payment credentials. The additional element of the “authorization token”, automates the payment receiving and authorizing step. The additional element is no more than mere instructions to apply the exception using a generic computer component (authorization token). The claims are directed to an abstract idea 
22.	There are no additional components and the additional element of “authorization token” is presented to initiate a transaction. The additional element is no more than mere instructions to apply the exception using a generic computer component. Therefore, the additional element and no additional components are recited at a high level of generality and does not amount to anything more than instructions to perform the abstract idea using a generic computer. The claims do not recite any improvements to the generic computing component. The claim does not recites additional elements that integrate the exception into a practical application of that exception Therefore, similar to the independent claim, dependent claims 3-7, 10-14, and 17- 20 further are directed to an ineligible judicial exception without any significant more.
23.	In summary, the independent and dependent claims, both individually and in combination with the ordered claims, do not provide meaningful limitations to transform the abstract idea into a patent eligible application of the abstract idea such that the claims amount to significantly more than the abstract idea itself. The claims do not recite an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or provide meaningful limitations beyond generally linking an abstract idea to a particular technological environment. Therefore, the claims 1, 3-8, 10-15, and 17-20 are rejected under 35 U.S.C. § 101 as being directed to non-statutory subject matter

Claim Rejections - 35 USC § 103
24.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
25.	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
26.	Claims 1, 3-8, 10-15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Purves et. al (US Patent Application Publication No.: 2017/0213200; hereafter known as Purves) and in further view of Ortiz et. al (US Patent Publication No.: 2018/0293573; hereafter known as Ortiz) 
27.	In claim 1: Purves discloses,
A credential security apparatus comprising: (i.e., the present invention may be embodied as methods, systems, computer readable media, apparatuses, or devices and widget may control the user experience and facilitate interaction with an authentication widget of the issuer for verifying whether a credential provided by the user can be used to successfully authenticate the user.) (Purves: Paragraph [0012], [0017])
a memory; and (i.e., computers and servers may be general purpose computers that may have, among other elements, a microprocessor (such as from the Intel Corporation, AMD or Motorola); volatile and non-volatile memory) (Purves: Paragraph [0047], [0052])
a hardware processor communicatively coupled to the memory, the hardware processor configured to: (i.e., may communicate with any other device via one or more networks where corresponding structure is a general-purpose computer, processor, or microprocessor including volatile and non-volatile memory) (Purves: Paragraph [0047], [0048], [0056])
send a widget to a device of the user; (i.e., GUI may also include one or more widgets. A widget may be computer code downloaded from the merchant's server 102 and stored by memory of the user device 110. The computer code, when executed, may cause the user device 110 to access another computer, device, or service, to process received user input where the server may process user identifying information, such as the device-based information and/or alias-based information to determine that the user has accounts with one or more different issuers) (Purves: Paragraph [0021], [0022], [0024])
after receiving the authentication confirmation indicating that the user is authenticated, generate an authorization token, (i.e., in response to successful authentication, the payment processor may provide the merchant with a payment token as payment for items being purchased from the merchant. the payment processor server 104 may generate and communicate a payment token to the merchant server 102 for authorizing the transaction and making payment.) (Purves: Paragraph [0014], [0030]) 
	Purves does not disclose,
	receive, from a merchant, customer data comprising information about a user, the information about the user communicated in response to the user attempting to store payment credentials in memory of a merchant device associated with the merchant;
after sending the widget to the device of the user, receive an authentication confirmation indicating that the user is authenticated to use the payment credentials, wherein the authentication confirmation is provided through user interaction with the widget at the device of the user;  
wherein the authorization token includes a portion of the information about the user but does not include a sufficient amount of the information about the user to determine an identity of the user; 
improve security of the payment credentials that the user attempted to store in memory of the merchant device by sending the authorization token to the merchant without storing the payment credentials in memory of the merchant device; 
after sending the authorization token to the merchant, receive the authorization token from the merchant; 
after receiving the authorization token, generate an access token, the access token configured to establish a session with the merchant;
send the access token to the merchant; 
receive, from the merchant, the access token; 
validate the received access token; 
after validating the received access token: 
generate a masked payment card, the masked payment card comprising temporary payment credentials different than the payment credentials that the user attempted to store in memory of the merchant device; 
establish the session with the merchant using the received access token; and 
further improve security of the payment credentials that the user attempted to store in memory of the merchant device by sending the masked card to the merchant without storing the payment credentials in memory of the merchant device. 

	However Ortiz discloses,
receive, from a merchant, customer data comprising information about a user, the information about the user communicated in response to the user attempting to store payment credentials with the merchant; (i.e., pseudo- or proxy card numbers that are specific to the ranking. Such dynamic or pseudo card number identifiers can, for example, be provided in the form of established payment protocols, such as Interac, Visa, Mastercard, etc. When such a pseudo-card number is used in a mobile wallet (POS), in-app, or e-commerce payment, the payment can be routed and otherwise processed in accordance with the corresponding protocol  for example, routing it to the merchant's FI 120, 160, which can further forward it to the user's FI system 120, 160 if/as needed. The user's FI system 120. 160 can process the dynamic card token by analyzing it and applying the preferences indicated therein, or applying the logical criteria referenced or otherwise identified there, to identify one or more funding sources to be applied toward the purchase) (Ortiz: Paragraph [0311], [0326], [0363])
after sending the widget to the device of the user, receive an authentication confirmation indicating that the user is authenticated to use the payment credentials,  wherein the authentication confirmation is provided through user interaction with the widget at the device of the user;  (i.e, Upon selection of the virtual wallet payment option by the requesting user, the merchant's web page may present a secure login, Upon successful log-in or other authorization, FI(s) associated with the designated payment accounts may respond by providing one or more payment tokens where the device may provide means for securely authenticating the device/user to the FI(s) administering the user's payment accounts, such as by way of a trusted platform. Once the user and/or device have been authenticated, the user's FI(s) may transmit electronic payment token(s) to the merchant/acquirer for processing of the transaction.)
(Ortiz: Paragraph [0092], [0093], [0180])
wherein the authorization token includes a portion of the information about the user but does not include a sufficient amount of the information about the user to determine an identity of the user; (i.e., payment accounts may respond by providing one or more payment tokens to the merchant, or to an acquirer or other third party payment processor designated by or otherwise associated with the merchant, the token representing one or more method(s) of payment identified within the user's electronic wallet and adequate for satisfying the transaction payment When such a pseudo-card number is used in a mobile wallet (POS), in-app, or e-commerce payment, the payment can be routed and otherwise processed in accordance with the corresponding protocol) (Ortiz: Paragraph {0092], [0206], [0311])
improve security of the payment credentials that the user attempted to store in memory of the merchant device by sending the authorization token to the merchant without storing the payment credentials in memory of the merchant device; (i.e., generate a funding token for payment of the merchant in satisfaction of the requested transaction. Such a token can comprise data representing a token valuand an account number may be a single-use or single-user or “dynamic card” account number associated with a single transaction. This can, for example, aid in authorizing and tracking transaction, and in subsequent accounting; and provides an additional layer of security, in that such numbers are not associated with permanent or otherwise persistent account numbers) (Ortiz: Paragraph [0275], [0276]) 
(i.e., Upon successful log-in or other authorization, FI(s) associated with the designated payment accounts may respond by providing one or more payment tokens to the merchant, or to an acquirer or other third party payment processor designated by or otherwise associated with the merchant, the token representing one or more method(s) of payment identified within the user's electronic wallet and adequate for satisfying the transaction payment.) (Ortiz: Paragraph [0092], [0361])
after sending the authorization token to the merchant, receive the authorization token from the merchant; (i.e., After the merchant or merchant backend has received the payment token(s), the transaction may be processed and may transmit electronic payment token(s) to the merchant/acquirer for processing of the transaction) (Ortiz: Paragraph [0091], [0093], [0180]) 
after receiving the authorization token, generate an access token, the access token configured to establish a session with the merchant; (i.e., FI associated with the designated payment accounts may respond by providing one or more payment tokens to the merchant) (Ortiz: Paragraph [0092], [0107] [0158])
send the access token to the merchant; (i.e., may transmit a suitably-configured token to the merchant) (Ortiz: Paragraph [0091]) 
receive, from the merchant, the access token; (i.e., respond by providing one or more payment tokens to the merchant, or to an acquirer or other third party payment processor designated by or otherwise associated with the merchant, the token) (Ortiz: Paragraph [0091],[0092], [0225],[0226])
validate the received access token; (i.e., Data representing a user's true identity, or other identity acceptable to a trusted platform 120 as a guarantee of completion of payment or other obligation(s) associated with a transaction, such as an employer's or other associated institution's identity, may be received, validated, and verified through, for example, an onboarding process or other process) (Ortiz: Paragraph [0107]) 
after validating the received access token: (i.e., When the transaction is received from merchant backend 136, 136′, 910, payment gateway 915 may then detect that the received token represents a line of credit or other asset, as a result of the trusted mobile device 110, 600 or merchant backend 136, 136′ 910 encoding the payment message to be detected as such, and then route the transaction directly to issuer 920 associated with the token. Issuer 920 may then settle the transaction by deducting the appropriate amount from the customer's available credit) (Ortiz: Paragraph [0193]) 
generate a masked payment card, the masked payment card comprising temporary payment credentials different than the payment credentials that the user attempted to store in memory of the merchant device; (i.e., generate a funding token for payment of the merchant in satisfaction of the requested transaction. Such a token can comprise data representing a token valuand an account number may be a single-use or single-user or “dynamic card” account number associated with a single transaction. This can, for example, aid in authorizing and tracking transaction, and in subsequent accounting; and provides an additional layer of security, in that such numbers are not associated with permanent or otherwise persistent account numbers) (Ortiz: Paragraph [0275], [0276]) 
establish the session with the merchant using the received access token; and (i.e.,   payment token may be transmitted over short-range communications 614 or long-range communication 612 for processing by a merchant backend. Alternatively, a user may securely log in to a bank account from within an application or program on user device 110, 110′ using some form of identification information and, once authenticated, the user's bank may transmit electronic payment tokens to the merchant/acquirer for processing of the transaction) (Ortiz: Paragraph [0101], [0154],[0155],[0158]) 
further improve security of the payment credentials that the user attempted to store in memory of the merchant device by sending the masked card to the merchant without storing the payment credentials in memory of the merchant device. (i.e., an account number may be a single-use or single-user or “dynamic card” account number associated with a single transaction. This can, for example, aid in authorizing and tracking transaction, and in subsequent accounting; and provides an additional layer of security, in that such numbers are not associated with permanent or otherwise persistent account numbers) (Ortiz: Paragraph [0276]
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ortiz and Purves so that the apparatus can include a response for storing the credentials with a merchant by utilizing a masked card and tokens for processing a transaction. Systems and devices in accordance with the disclosure can comprise a wide variety of components, including for example trusted authentication servers, or platforms, for use in simplifying, expediting, and improving the security of data processes such as purchases and other financial transactions. (Ortiz: Paragraph [0065]) Trusted platforms or transaction processing systems in accordance with the invention may be used in authenticating, expediting the processing of, and increasing the security of many types of data processing transactions, in addition to purchases or other transactions involving payments. (Ortiz: Paragraph [0071]) 
28.	In claim 3: The combination of Purves and Ortiz disclose the apparatus of supra, including wherein the masked payment card is discarded after the masked payment card is used to facilitate a transaction by the user. (i.e., an account number may be a single-use or single-user or “dynamic card” account number associated with a single transaction for example be associated with unique, or “dynamic,” identifiers such as pseudo- or proxy card numbers where the numbers are not associated with permanent or otherwise persistent account numbers.  Such payment tokens, which may be multi or single-use or subject to other restrictions or limitations on use) (Ortiz: Paragraph [0143], [0276], [0310], [0311])
29.	In claim 4: The combination of Purves and Ortiz disclose the apparatus of supra, including wherein the masked payment card is exchanged for information for an actual payment card of the user. (i.e., the user may supply the same alias/credential combination, instead of a personal account number (e.g., credit card number, debit card number, etc.), to the merchant's GUI when making online purchases) (Purves: Paragraph [0020])
30.	In claim 5: The combination of Purves and Ortiz disclose the apparatus of supra, including wherein the information about the user’s name and mobile telephone number. Examples of an alias include a username, an email address, phone number, device identifier (e.g., identifier of a computer, laptop, smartphone, tablet computer, etc.) and the like) (Purves: Paragraph [0019], [0023], [0027])
31.	 In claim 6: The combination of Purves and Ortiz disclose the apparatus of supra, including wherein the authorization token may be presented to initiate a transaction for the user. (i.e., communicate a payment token to the merchant server 102 for authorizing the transaction and making payment)  
32.	In claim 7: The combination of Purves and Ortiz disclose the apparatus of supra, including wherein the user selects an issuer of the payment credentials and wherein the information about the user is sent after the issuer is selected. (i.e., in response to the user selection, the checkout widget 202 may update the merchant checkout GUI 112 to display or trigger a second widget corresponding to the selected issuer account for collecting a credential from the user and the checkout widget 202 may update the merchant checkout GUI 112 to include card art 208 of the user's physical credit card for the selected issuer and at least a portion of the user's alias.) (Purves: Paragraph [0024], [0025], [0026])
33.	In claim 8: Purves discloses,
A method comprising: (Purves: Paragraph [0012])
sending by the hardware processor, a widget to a device of the user; (Purves: Paragraph [0022], [0024])
after receiving the authentication confirmation indicating that the user, is authenticated, generating, by the hardware processor, an authorization token (Purves: Paragraph [0014], [0030]), 
	Purves does not disclose,
receiving, by a hardware processor communicatively coupled to a memory and from a merchant, customer data comprising information about a user, the information about the user communicated in response to the user attempting to store payment credentials in memory of a merchant device associated with the merchant; 
after sending the widget to the device of the user, receiving, by the hardware processor, an authentication confirmation indicating that the user is authenticated to use the payment credentials, wherein the authentication confirmation is provided through user interaction with the widget at the device of the user; 
improving, by the hardware processor, security of the payment credentials that the user attempted to store in memory of the merchant device by sending the authorization token to the merchant without storing the payment credentials in memory of the merchant device; 
wherein the authorization token includes a portion of the information about the user but does not include a sufficient amount of the information about the user to determine an identity of the user; 
after sending the authorization token to the merchant, receiving, by the hardware processor, the authorization token from the merchant; 
after receiving the authorization token, generating, by the hardware processor, an access token, the access token configured to establish a session with the merchant; 
sending, by the hardware processor, the access token to the merchant; 
receiving from the merchant, by the hardware processor, the access token; 
validating, by the hardware processor, the received access token; after validating the received access token:
generating, by the hardware processor, a masked payment card, the masked payment card comprising temporary payment credentials different than the payment credentials that the user attempted to store in memory of the merchant device; 
establishing, by the hardware processor, the session with the merchant using the received access token; and 
further improving, by the hardware processor, security of the payment credentials that the user attempted to store in memory of the merchant device by sending the masked card to the merchant without storing the payment credentials in memory of the merchant device.
	However Ortiz discloses,
receiving, by a hardware processor communicatively coupled to a memory and from a merchant, customer data comprising information about a user, the information about the user communicated in response to the user attempting to store payment credentials memory of a merchant device associated with the merchant; (Ortiz: Paragraph [0311], [0326], [0363])
after sending the widget to the device of the user, receiving, by the hardware processor, an authentication confirmation indicating that the user is authenticated to use the payment credentials, wherein the authentication confirmation is provided through user interaction with the widget at the device of the user; (Ortiz: Paragraph [0092], [0093], [0180])
wherein the authorization token includes a portion of the information about the user but does not include a sufficient amount of the information about the user to determine an identity of the user; (Ortiz: Paragraph {0092], [0206], [0311])
improving, by the hardware processor, security of the payment credentials that the user attempted to store in memory of the merchant device by sending the authorization token to the merchant without storing the payment credentials in memory of the merchant device; (Ortiz: Paragraph [0275], [0276])
after sending the authorization token to the merchant, receiving, by the hardware processor, the authorization token from the merchant; (Ortiz: Paragraph [0091], [0093], [0180])
after receiving the authorization token, generating, by the hardware processor, an access token, the access token configured to establish a session with the merchant; (Ortiz: Paragraph [0092], [0107] [0158])
sending, by the hardware processor, the access token to the merchant; (Ortiz: Paragraph [0091])
receiving from the merchant, by the hardware processor, the access token; (Ortiz: Paragraph [0091],[0092], [0225],[0226])
validating, by the hardware processor, the received access token; (Ortiz: Paragraph [0107])
after validating the received access token: (Ortiz: Paragraph [0193])
generating, by the hardware processor, a masked payment card, the masked payment card comprising temporary payment credentials different than the payment credentials that the user attempted to store in memory of the merchant device; (Ortiz: Paragraph [0275], [0276])
establishing, by the hardware processor, the session with the merchant using the received access token; and (Ortiz: Paragraph [0101], [0154],[0155],[0158])
further improving, by the hardware processor, security of the payment credentials that the user attempted to store in memory of the merchant device by sending the masked card to the merchant without storing the payment credentials in memory of the merchant device. (Ortiz: Paragraph [0276])
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ortiz and Purves so that the apparatus can include a response for storing the credentials with a merchant by utilizing a masked card and tokens for processing a transaction. Systems and devices in accordance with the disclosure can comprise a wide variety of components, including for example trusted authentication servers, or platforms, for use in simplifying, expediting, and improving the security of data processes such as purchases and other financial transactions. (Ortiz: Paragraph [0065]) Trusted platforms or transaction processing systems in accordance with the invention may be used in authenticating, expediting the processing of, and increasing the security of many types of data processing transactions, in addition to purchases or other transactions involving payments. (Ortiz: Paragraph [0071]) 
34.	In claim 10: The combination of Purves and Ortiz disclose the method of supra, including wherein the masked payment card is discarded after the masked payment card is used to facilitate a transaction by the user. (Ortiz: Paragraph [0143], [0276], [0310], [0311])
35.	In claim 11: The combination of Purves and Ortiz disclose the method of supra, including wherein the masked payment card is exchanged for information for an actual payment card of the user. (Purves: Paragraph [0020])
36.	In claim 12: The combination of Purves and Ortiz disclose the method of supra, including wherein the information about the user comprises the user’s name and mobile telephone number (Purves: Paragraph [0019], [0023], [0027])
37.	In claim 13: The combination of Purves and Ortiz disclose the method of supra, including wherein the authorization token may be presented to initiate a transaction for the user. (Purves: Paragraph [0030])
38.	 In claim 14: The combination of Purves and Ortiz disclose the method of supra, including wherein the user selects an issuer of the payment credentials and wherein the information about the user is sent after the issuer is selected. (Purves: Paragraph [0024], [0025], [0026])
39.	In claim 15: Purves discloses,
A system comprising: (Purves: Paragraph [0012])
a merchant device comprising a first memory; and (i.e., the present invention may be embodied as methods, systems, computer readable media, apparatuses, or devices) (Purves: Paragraph [0012],[0017])
a credential security tool comprising a second memory and a hardware processor communicatively coupled to the second memory, the hardware processor configured to: (Purves: Paragraph [0016], [0021],[0047], [0052])
after receiving the authentication confirmation indicating that the user is authenticated, generate an authorization token, wherein the authorization token includes a portion of the information about the user but does not include a sufficient amount of the information about the user to determine an identity of the user; (Purves: Paragraph [0014], [0030])
Purves does not disclose
receive, from the merchant device, customer data comprising information about a user, the information about the user communicated in response to the user attempting to store payment credentials in the first memory of the merchant device; 
after sending the widget to the device of the user, receive an authentication confirmation indicating that the user is authenticated to use the payment credentials, wherein the authentication confirmation is provided through user interaction with the widget at the device of the user; (Ortiz: Paragraph [0092], [0093], [0180])
wherein the authorization token includes a portion of the information about the user but does not include a sufficient amount of the information about the user to determine an identity of the user; 
improve security of the payment credentials that the user attempted to store in the first memory of the merchant device by sending the authorization token to the merchant without storing the payment credentials in the first memory of the merchant device; 
after sending the authorization token to the merchant, receive the authorization token from the merchant; 
after receiving the authorization token, generate an access token, the access token configured to establish a session with the merchant; 
send the access token to the merchant; 
receive, from the merchant, the access token; 
validate the received access token; 
after validating the received access token: 
generate a masked payment card, the masked payment card comprising temporary payment credentials different than the payment credentials that the user attempted to store in the first memory of the merchant device; 
establish the session with the merchant using the received access token; and 
further improve security of the payment credentials that the user attempted to store in the first memory of the merchant device by sending the masked card to the merchant without storing the payment credentials in the first memory of the merchant device.
	However, Ortiz discloses,
receive, from the merchant device, customer data comprising information about a user, the information about the user communicated in response to the user attempting to store payment credentials with the merchant device; (Ortiz: Paragraph [0311], [0326], [0363])
after sending the widget to the device of the user, receive an authentication confirmation indicating that the user is authenticated to use the payment credentials, wherein the authentication confirmation is provided through user interaction with the widget at the device of the user; (Ortiz: Paragraph [0092], [0093], [0180])
wherein the authorization token includes a portion of the information about the user but does not include a sufficient amount of the information about the user to determine an identity of the user; (Ortiz: Paragraph {0092], [0206], [0311])
improve security of the payment credentials that the user attempted to store in the first memory of the merchant device by sending the authorization token to the merchant without storing the payment credentials in the first memory of the merchant device; (Ortiz: Paragraph [0275], [0276])
after sending the authorization token to the merchant, receive the authorization token from the merchant; (Ortiz: Paragraph [0091], [0093], [0180])
after receiving the authorization token, generate an access token, the access token configured to establish a session with the merchant; (Ortiz: Paragraph [0092], [0107] [0158])
send the access token to the merchant; (Ortiz: Paragraph [0091])
receive, from the merchant, the access token; (Ortiz: Paragraph [0091],[0092], [0225],[0226])
validate the received access token; (Ortiz: Paragraph [0107])
after validating the received access token: (Ortiz: Paragraph [0193])
generate a masked payment card, the masked payment card comprising temporary payment credentials different than the payment credentials that the user attempted to store in the first memory of the merchant device; (Ortiz: Paragraph [0275], [0276])
establish the session with the merchant using the received access token; and (Ortiz: Paragraph [0101], [0154],[0155],[0158])
further improve security of the payment credentials that the user attempted to store in the first memory of the merchant device by sending the masked card to the merchant without storing the payment credentials in the first memory of the merchant device. (Ortiz: Paragraph [0276])
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ortiz and Purves so that the apparatus can include a response for storing the credentials with a merchant by utilizing a masked card and tokens for processing a transaction. Systems and devices in accordance with the disclosure can comprise a wide variety of components, including for example trusted authentication servers, or platforms, for use in simplifying, expediting, and improving the security of data processes such as purchases and other financial transactions. (Ortiz: Paragraph [0065]) Trusted platforms or transaction processing systems in accordance with the invention may be used in authenticating, expediting the processing of, and increasing the security of many types of data processing transactions, in addition to purchases or other transactions involving payments. (Ortiz: Paragraph [0071]) 

40.	 In claim 17: The combination of Purves and Ortiz disclose the system of supra, including wherein the masked payment card is discarded after the masked payment card is used to facilitate a transaction by the user. (Ortiz: Paragraph [0143], [0276], [0310], [0311])
41.	In claim 18: The combination of Purves and Ortiz disclose the system of supra, including wherein the masked payment card is exchanged for information for an actual payment card of the user. (Purves: Paragraph [0020])
42.	In claim 19: The combination of Purves and Ortiz discloses the system of supra, including wherein the information about the user comprises the user’s name and mobile telephone number (Purves: Paragraph [0019], [0023], [0027])
43.	In claim 20: The combination of Purves and Ortiz discloses the method of supra, including wherein the authorization token may be presented to initiate a transaction for the user. (Purves: Paragraph [0030])

Response to Arguments
44.	Applicant's arguments with respect to the Drawing Objections, Applicant's remarks and amendments have been fully considered and are persuasive. The Drawing Objections are withdrawn.
45.	Applicant's arguments with respect to the rejection of claims 1, 8 and 15 under U.S.C. 112(b) rejections for limitations “determine and identity of the user using the information about the user” and “determine, using the authentication information”, and “thereby improving security of the payment credentials”. Applicants deleted the rejected limitations. The Applicants remarks and amendments have been fully considered and are persuasive. The U.S.C. 112(b) rejection is withdrawn. 
46.	Applicant's arguments with respect to the rejection of claims1, 3-8, 10-15, and 17-20 under U.S.C. 101 rejections, Applicant's remarks and amendments have been fully considered and are not persuasive.
Applicants argument argue that the amended claims 1, 8, and 15 are integrated into a practical application that provides an improvement to data security technology. The Applicants further argue that the claims involve a judicial exception, the claims are still patent eligible because the claims are integrated into a practical application, and therefore, are not directed to any purported judicial exception.
	The Examiner respectfully disagrees. The amended claims 1, corresponding claims 8 and 15, are steps for steps for receiving, identifying, communicating, and authenticating financial data to process a payment transaction using masked credentials. The Federal Courts have ruled that controlling access based on verifying payment credentials via encryption methods (i.e. generating authorization token) patent claims were ineligible and directed to an abstract idea. The Applicants specification supports the above conclusion where it cites “credential security tool 110 generates an authorization token 120 which may include a key and/or encrypted information that identifies user 102A and/or payment credentials of user 102A” (Specification: pg. 11) and “, the next time user 102A desires to conduct a transaction with merchant 102B using the payment credentials, merchant 102B may present the authorization token 120 to complete the transaction.” (Specification: pg. 11). Therefore the claims, as drafted, are an abstract idea.
The judicial exception is not integrated into a practical application. The amended claims 1, corresponding representative claims 8 and 15, as drafted, are not a technical solution to a technical problem but is a business solution to a business problem (i.e., steps are providing a user masked credentials to process the payment transaction without storing the credentials for securing online transactions). The specification makes clear that the inventions simply displays the payment credential as an authorization token where it recites “The merchant stores the authorization token rather than payment credentials of the user” (Specification: pg. 4). In claim 1, and corresponding claims 8 and 15, recite the additional components of merchant device, device, memory, hard processor, credential security tool and the additional element of the access token, authorization token, and widget. The computer hardware is recited at a high-level of generality (i.e. hardware processor processing and determining user information and a memory to store authorization token) to apply the exception using a generic computer components. The Specification is aligned with the above conclusion where it recites: “Memory 114 may store, either permanently or temporarily, data, operational software, or other information for processor 112. Memory 114 may include any one or a combination of volatile or non-volatile local or remote devices suitable for storing information. For example, memory 1 14 may include random access memory (RAM), read only memory (ROM), magnetic storage devices, optical storage devices, or any other suitable information storage device or a combination of these devices” (Specification: Pg. 10 Lines 1-6), “Processor 112 is any electronic circuitry, including, but not limited to microprocessors, application specific integrated circuits (ASIC), application specific instruction set processor (ASIP), and/or state machines, that communicatively couples to memory 114 and controls the operation of credential security tool 110. Processor 112 may be 8-bit, 16-bit, 32-bit, 64-bit or of any other suitable architecture. Processor 112 may include an arithmetic logic unit (ALU) for performing arithmetic and logic operations, processor registers that supply operands to the ALU and store the results of ALU operations, and a control unit that fetches instructions from memory and executes them by directing the coordinated operations of the ALU, registers and other components. Processor 112 may include other hardware that operates software to control and process information. Processor 112 executes software stored on memory to perform any of the functions described herein.” (Specification:  Pg. 9 lines15-25), and “Credential security tool 110 begins the enrollment function by receiving customer data 116. Customer data 116 may include information that identifies a user 102A and information that would identify a particular payment credential such as, for example, a card name and/or issuer name. Credential security tool 110 may use customer data 116 to identify a user 102A and/or a particular payment credential of user 102A” (Specification: Pg. 13, Lines 1-6) See MPEP 2106.05(f) and MPEP 2106.05(h) where using a computer or generally linking use of a judicial exception to a technological environment or field of use is not indicative of a practical application. Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Therefore claim 1, and corresponding representative claims 8 and 15 are directed to an abstract idea without a practical application.
47.	Applicant's arguments with respect to the rejection of claims 1, 3-8, 10-15, and 17-20 under U.S.C. 103 rejections, Applicant's remarks and amendments have been fully considered and are not persuasive.
	The Applicants argument recite that Purves-Sudbury combination fails to teach, suggest, or disclose the amended claim 1 where it recites “A credential security apparatus … in memory of the merchant device” (Arguments & Remarks, pgs. 22-26)
	The Examiner respectfully disagrees. The rejection is improper and moot under the current rejection. The amendments and new limitations have updated into the U.S.C 103 rejection. All amendments and limitations have been disclosed in Purves in view of Ortiz. See above updated U.S.C 103 rejection. 


Conclusion
48.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to BERNADINE LOTHERY whose telephone number is (571)272-7985. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shahid Merchant can be reached on 5712701360. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/B.L./Examiner, Art Unit 3693                                                                                                                                                                                                        /LINDSAY M MAGUIRE/Primary Examiner, Art Unit 3693