DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This Office Action is in response to the Amendment filed on 11/11/2019. In the instant Amendment: Claims 21 and 29 have been amended. Claims 21-39 have been examined and are pending.  This Action is made FINAL.  
Objection: 
Claim 38 is presented twice. Correction is required. 
Response to Arguments
Non-obviousness type double patenting rejection with respect to U.S. Patent No. 10911429 has been maintained. See explanation below. 
Rejection under 35 U.S.C. 101 (software per se) for claims 29-39 has been withdrawn in light of the claim amendment. 
Applicants' arguments in the instant Amendment, filed on 02/04/2022, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant Argues: Byrd and Kent do not disclose “adding an indication to the certificate signing request that the registration authority computer has authenticated the token requestor,” “the certificate authority computer being remote with respect to the registration authority computer and operated by an entity different from the financial institution,” “the certificate authority computer being configured to reject the certificate signing request if the indication that the registration authority computer has authenticated the token requestor is missing from the certificate signing request,” and “wherein receipt of the token requestor ID by the token requestor computer configures the token requestor computer to obtain a token from a token provider computer for a subsequent token-based transaction in which payment data is replaced by the token in an authorization request message” of amended claim 21.  See Remarks at 11-12. 
Examiner’s Response: The examiner respectfully disagrees because these arguments are not persuasive. 
In regards to, “adding an indication to the certificate signing request that the registration authority computer has authenticated the token requestor,” Kent teaches that after verifying user public key (as a credential) or signature, the registration computer (RA) may digitally sign the certificate signing request using the RA private key and generates a RA signature that indicates that the designated RA has generated the certificate signing request. See Kent FIG. 5 and col. 9: 44-53 (“The RA workstation 110 may use any standard protocol for generating a certificate request…The RA workstation 110 may also cryptographically protect the certificate request by digitally signing the request using the RA's 110 private key. The RA workstation 110 then transmits the certificate to CA workstation 130 via network 170.”). 
In regards to, “the certificate authority computer being remote with respect to the registration authority computer and operated by an entity different from the financial institution,” Byrd teaches that a merchant bank or a financial institution may “authorize a third party to perform transaction processing on its behalf.” See Byrd [0043]. Furthermore, Kent teaches that “the RA workstations 110, 112 and 114 receive inputs from users, generate certificates and transmit the certificates to CA workstation 130 over network 170 via a wired, wireless, or optical connection.” See Kent FIG. 1 and col. 4: 15-19 (emphasis added). Thus, Byrd and Kent teach that the RA workstations can be physically remote from the CA workstations, which is/are operated by a third-party. 
In regards to, “the certificate authority computer being configured to reject the certificate signing request if the indication that the registration authority computer has authenticated the token requestor is missing from the certificate signing request,” Kent teaches that the certificate authority computer (CA) verifies that the registration authority computer (RA) has digitally signed a certificate request. Otherwise, an error message can be returned. See Kent col. 9: 62-64; col.10: 1-7 (“The CA workstation 130 then verifies that the request came from RA workstation 110 by using the public key associated with RA workstation 110. That is, if the CA workstation 130 deter mines that the certificate did not come from RA workstation 110, the CA workstation 130 returns an error message.”). 
Finally, Byrd teaches “wherein receipt of the token requestor ID by the token requestor computer configures the token requestor computer to obtain a token from a token provider computer for a subsequent token-based transaction in which payment data is replaced by the token in an authorization request message.” After an initial registration, clients (developer) may receive an assigned ID (i.e., token requestor ID), and may present the assigned ID (in lieu of client account/ payment data) to obtain a digitally signed production key (i.e., access token) for accessing a paid service. See Byrd FIG 6B, [0106] – [0107] (“[A] developer requesting 502 premium access including a production key to a particular service application 456 (the “first service application”) stored on SO computer system 438. Each [developer’s] key alias has a client ID, which enables developer computer system 404 to access the specific service application offered by the SO. API platform 432 receives 504 the developer request for premium access, signs the production key and grants general access to the developer for the first service application. [Note that both the client ID and the production key have been received from a prior registration process.]) (emphasis added). 
In conclusion, applicant’s argument is unpersuasive and the rejection of claim 1 is maintained. Similarly, rejection of independent claim 29, which recite similar matter to claim 1, is also maintained.  
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 21 and 29 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1 and 8 of the U.S. Patent No. 10911429.  Although the claims at issue are not identical, they are not patentably distinct from each other because all limitations recited in the independent claims 21 and 29 are anticipated by limitations recited in claims 1 and 8 of US Patent No. 10,911,429, respectively (Refer to the comparison table below for detail). 
Instant Application 17/135,693
Issued Patent No. 10911429
Claim 21.

           A computer-implemented method, comprising: 

receiving, at a registration authority computer, a certificate signing request from a token requestor computer associated with a merchant, wherein the registration authority computer is operated by or on  behalf of a financial institution that manages a financial account associated with the token requestor;  




in response to receiving the certificate signing request, authenticating, by the registration authority computer, the token requestor based on data associated with the financial account; 




adding an indication to the certificate signing request that the registration authority computer has authenticated the token requestor; 
transmitting, by the registration authority computer to a certificate authority computer, the certificate signing request comprising the indication, 




the certificate authority computer being remote with respect to the registration authority computer and operated by an entity different from the financial institution, 


the certificate authority computer being configured to reject the certificate signing request if the indication that the registration authority computer has authenticated the token requestor is missing from the certificate signing request; 










receiving, by the registration authority computer from the certificate authority computer, a token requestor ID for the token requestor; and 

transmitting, by the registration authority computer, the token requestor ID to the token requestor computer, 



wherein receipt of the token requestor ID by the token requestor computer configures the token requestor computer to obtain a token from a token provider computer for a subsequent token-based transaction in which payment data is replaced by the token in an authorization request message.








Claim 29.  
           
Claim 29 is directed to a registration authority computer associated with the method of claim 21. Claim 29 is similar in scope to claim 21and is therefore rejected on the basis of non-statutory double patenting with respect to claim 8 of U.S. Patent No. 10911429. 
Claim 1. 

           A computer-implemented method, comprising:

receiving, at a registration authority computer, a certificate signing request from a token requestor computer associated with a token requestor, wherein the registration authority computer is operated by or on behalf of an acquirer bank that manages a financial account associated with the token requestor, the token requestor being a merchant, the certificate signing request being received in an authorization request message conforming to an ISO 8583 transaction message format;
in response to receiving the certificate signing request, authenticating, by the registration authority computer based on executing a know-your-customer process, the token requestor associated with the token requestor computer utilizing data associated with the financial account;


in response to authenticating the token requestor by the registration authority computer utilizing data associated with the financial account, 
transmitting, by the registration authority computer to a certificate authority computer, a modified certificate signing request comprising an identifier associated with the registration authority computer, the modified certificate signing request being transmitted in the authorization request message, 

the certificate authority computer being operated by an entity different from the acquirer bank, wherein transmitting the modified certificate signing request to the certificate authority computer causes the certificate authority computer to:

verify the registration authority computer authenticated the token requestor based at least in part on determining that the identifier associated with the registration authority computer is included in the modified certificate signing request;

in response to verifying the registration authority computer authenticated the token requestor, generate a token requestor identifier (ID) for the token requestor; and
store a mapping between a token requestor ID and a public key generated by and received from the token requestor computer;


receiving, by the registration authority computer from the certificate authority computer, the token requestor ID for the token requestor;

transmitting, by the registration authority computer, the token requestor ID to the token requestor computer;


receiving, by a transport computer, a subsequent authorization request message comprising a payment token obtained by the token requestor utilizing the token requestor ID, the payment token being provided in lieu of payment data, the subsequent authorization request message comprising an amount for a payment transaction; and
transmitting, by the transport computer to a token provider computer, the subsequent authorization request message comprising the payment token, wherein transmitting the subsequent authorization request message comprising the payment token to the token provider computer causes the token provider computer to replace the payment token in the subsequent authorization request message with the payment data prior to transmitting the subsequent authorization request message to an authorization computer.

Claim 8. 
            
            Claim 8 is directed to a system comprising a registration authority computer and is associated with the method of claim 1. Claim 8 is similar in scope to claim 1. 

 


Claims 22-28 and 30-39 are rejected as being dependent on claims 21 and 29, respectively.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically discloses as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 21, 23, 29, 30, 37-39 are rejected under 35 U.S.C. 103 as being unpatentable Byrd et al. (“Byrd,” US 2012/0179907 A1, published July 12, 2012), in view of Kent (“Kent,” US 6671804 B1, patented Dec. 30, 2003).
Regarding claim 21, Byrd discloses a computer-implemented method, comprising: 
receiving, at a registration authority computer, a certificate signing request from a token requestor computer associated with a merchant, wherein the registration authority computer is operated by or on behalf of a financial institution that manages a financial account associated with the token requestor (Byrd FIGs 5, 10, [0036], [0126]. System 100 includes a service provider system (e.g., financial services provider) that allows developers of computer applications to access a variety of service applications hosted by the service provider (SP) computer system. In addition to the registration data, API platform also receives 954 a certificate signing request (CSR) from developer computer device 404, which is uploaded through API portal 420. [Note API platform as the registration authority computer and developer device as the token requestor computer. In [0084]. The developer may be working directly for a merchant. In [0101], the developer maintains a financial account for billing.]); 
in response to receiving the certificate signing request, authenticating, by the registration authority computer, the token requestor associated with the token requestor computer utilizing data associated with the financial account (Byrd FIGs. 5, 10, [0075], [0126]. The registration process will collect, and authenticate as required, the following data elements from the developer: first name, last name, username, password, email address, country, street address, city, state/province, postal code, phone number, and company/university affiliation. Process 950 includes receiving 952 registration data at API platform 432 from developer computer device 404. The registration data is submitted by the developer through API portal 420. API platform also receives 954 a certificate signing request (CSR) from developer computer device 404, which is uploaded through API portal 420. [In [0101], the developer maintains a financial account for billing.].);
the certificate authority computer being [remote with respect to the registration authority computer] and operated by an entity different from the financial institution (Byrd [0043]. Alternatively, a merchant bank may authorize a third party to perform transaction processing on its behalf. In this case, the point-of-sale terminal will be configured to communicate with the third party.); 
receiving, by the registration authority computer from the certificate authority computer, the token requestor identifier (ID) for the token requestor (Byrd FIG. 10, [0127]. Certificate signing server 434 verifies 960 the registration data, signs 962 the certificate request, and returns 964 the signed certificate to API platform 432 in real time. [Here, token requestor identifier (ID) is the client ID. See [0130]. Also Note that in [0045], [0086], API and certificate signing server may share the tasks of assigning client ID’s and signing certificate. In addition, API may reside in a plurality of servers.]); 
transmitting, by the registration authority computer, the token requestor ID to the token requestor computer (Byrd FIG. 10, [0130]. API platform 432 sends 968 the client ID and the signed digital certificate to the developer at developer computer device 404.), 
wherein receipt of the token requestor ID by the token requestor computer configures the token requestor computer to obtain a token from a tokenPage 2 of 17Appl. No. 15/369,488PATENTAmdt. dated November 11, 2019 Reply to Office Action of December 5, 2016provider computer for a subsequent token-based transaction (Byrd FIG 6B, [0106] – [0107]. [A] developer requesting 502 premium access including a production key to a particular service application 456 (the “first service application”) stored on SO computer system 438. Each [developer’s] key alias has a client ID, which enables developer computer system 404 to access the specific service application offered by the SO. API platform 432 receives 504 the developer request for premium access, signs the production key and grants general access to the developer for the first service application. [Note that both the client ID and the production key have been received from a prior registration process]) in which payment data is replaced by the token in an authorization request message (Byrd FIG. 7, [0109] – [0110]. The production key for the developer is updated 520 from general access to premium access, and an email is transmitted 522 to notify the developer. The developer application [then] sends a premium message [that] includes the client ID and the production key provided by the API platform. API platform 432 validates [ ] the client ID and production key. API platform 432 and API services wrapper 436 [then provides] the first service application.). 
Byrd does not explicitly disclose: adding an indication to the certificate signing request that the registration authority computer has authenticated the token requestor; 
transmitting, by the registration authority computer to a certificate authority computer, the certificate signing request comprising the indication, the certificate authority computer being remote with respect to the registration authority computer and operated by an entity different from the financial institution, the certificate authority computer being configured to reject the certificate signing request if the indication that the registration authority computer has authenticated the token requestor is missing from the certificate signing request. 
However, Kent, in an analogous art, discloses an authentication method, comprising:
adding an indication to the certificate signing request that the registration authority computer has authenticated the token requestor; transmitting, by the registration authority computer to a certificate authority computer, the certificate signing request comprising the indication (Kent FIG. 5, Col.9: 40-53. If the user is requesting an attribute certificate, the user may submit data for incorporation into such a certificate, and may sign the data using his private signature key, to bind the attributes to his identity. The RA workstation 110 may then prepare a certificate request by binding the user's public key, along with other information, such as a user ID, to a certificate (step 520). The RA workstation 110 may also cryptographically protect the certificate request by digitally signing the request using the RA's 110 private key. The RA workstation 110 then transmits the certificate to CA workstation 130 via network 170.), 
the certificate authority computer being remote with respect to the registration authority computer and [operated by an entity different from the financial institution] (Kent FIG. 1, col. 4: 14-18. In an exemplary implementation of the present invention, the RA workstations 110, 112 and 114 receive inputs from users, generate certificates and transmit the certificates to CA workstation 130 over network 170 via a wired, wireless, or optical connection.), 
the certificate authority computer being configured to reject the certificate signing request if the indication that the registration authority computer has authenticated the token requestor is missing from the certificate signing request (Kent FIG. 5, col: 9: 35-50, 60-64; col. 10: 5-10.  The RA workstation 110 may then prepare a certificate request by binding the user's public key, along with other information, such as a user ID, to a certificate (step 520). The RA workstation 110 may also cryptographically protect the certificate request by digitally signing the request using the RA's 110 private key. CA workstation 130 receives and examines the certificate request (step 530). The CA workstation 130 then verifies that the request came from RA workstation 110 by using the public key associated with RA workstation 110. That is, if the CA workstation 130 deter mines that the certificate did not come from RA workstation 110, the CA workstation 130 returns an error message.).
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective date of the claimed invention to combine the teachings of Kent with teachings of Byrd to include the steps of: transmitting a RA modified certificate signing request to the certificate authority CA, to provide users with a means for using a RA to first verify the user, and then digitally signing the user’s public key with RA’s private key and submit the certificate signing request to a certificate authority for further verification, such that the task of validating a certificate signing request of a user is split among RA and CA’s for optimizing computation resources and network security. (See Kent col. 9: 45-50). 
Regarding claim 23, Byrd and Kent disclose the method of claim 21. Byrd further discloses: in response to verifying the registration authority computer authenticated the token requestor, generate a token requestor identifier (ID) for the token requestor (Byrd FIGs 5, 9, [0127], [0130]. After receiving 952 registration data and receiving 954 the CSR, API platform 432 assigns 956 a client ID to the developer's key alias. After a positive verification, API platform 432 stores 966 within memory device 422 the client ID and the signed digital certificate (developer's public key). The combination of the client ID and the developer's public key comprises the production key.); and 
store a mapping between a token requestor ID and a public key generated by and received from the token requestor computer (Byrd FIGs 5, 9, [0127], [0130]. After receiving 952 registration data and receiving 954 the CSR, API platform 432 assigns 956 a client ID to the developer's key alias. After a positive verification, API platform 432 stores 966 within memory device 422 the client ID and the signed digital certificate (developer's public key). The combination of the client ID and the developer's public key comprises the production key.).
Kent further discloses: wherein transmitting the modified certificate signing request to the certificate authority computer causes the certificate authority computer to: verify the registration authority computer authenticated the token requestor based at least in part on determining that the identifier associated with the registration authority computer is included in the modified certificate signing request (Kent FIG. 5, col: 9: 35-50, 60-64; col. 10: 5-10.  The RA workstation 110 may then prepare a certificate request by binding the user's public key, along with other information, such as a user ID, to a certificate (step 520). The RA workstation 110 may also cryptographically protect the certificate request by digitally signing the request using the RA's 110 private key. CA workstation 130 receives and examines the certificate request (step 530). The CA workstation 130 then verifies that the request came from RA workstation 110 by using the public key associated with RA workstation 110. That is, if the CA workstation 130 deter mines that the certificate did not come from RA workstation 110, the CA workstation 130 returns an error message.). 
The motivation is the same as that of claim 21 above. 
Regarding claim 29, claim 29 is directed to a registration authority computer corresponding to the method of claim 1. Claim 29 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 30, Byrd and Kent disclose the registration authority computer of claim 29. Byrd further discloses: wherein the token requestor ID is generated by the certificate authority computer in response to receiving the certificate signing request from the registration authority computer (Byrd FIG. 10, (step 958, step 964), [0127], [0068]. API platform generates a client ID (i.e. token requestor identifier (ID)) in response to a certificate signing request. Furthermore, both the API platform and the certificate signing server are part of the service provider (SP) computer. Also note that the certificate authority and the registration authority can be one entity (see specification at [0045])).
Regarding claim 37, Byrd and Kent disclose the registration authority computer of claim 29. Kent further discloses wherein the identifier associated with the registration authority computer is added to the modified certificate signing request as an indication to the certificate signing authority that the registration authority computer has authenticated the token requestor (Kent FIG. 5, col: 9: 35-50, 60-64; col. 10: 5-10.  The RA workstation 110 may then prepare a certificate request by binding the user's public key, along with other information, such as a user ID, to a certificate (step 520). The RA workstation 110 may also cryptographically protect the certificate request by digitally signing the request using the RA's 110 private key. CA workstation 130 receives and examines the certificate request (step 530). The CA workstation 130 then verifies that the request came from RA workstation 110 by using the public key associated with RA workstation 110. That is, if the CA workstation 130 deter mines that the certificate did not come from RA workstation 110, the CA workstation 130 returns an error message.). 
The motivation is the same as that of claim 29 above. 
Regarding claim 38, Byrd and Kent disclose the registration authority computer of claim 29. Byrd further discloses where receiving the token requestor ID is in response to transmitting the modified version of the certificate signing request (Byrd FIG. 10, [0127], [0130]. Certificate signing server 434 verifies 960 the registration data, signs 962 the certificate request, and returns 964 the signed certificate to API platform 432 in real time. API platform 432 sends 968 the client ID and the signed digital certificate to the developer at developer computer device 404. [Here, token requestor identifier (ID) is the client ID. See [0130]. Also Note that in [0045], [0086], API and certificate signing server may share the tasks of assigning client ID’s and signing certificate. In addition, API may reside in a plurality of servers.]). 
Regarding claim 39, Byrd and Kent disclose the registration authority computer of claim 29. Byrd further discloses wherein the certificate authority computer is configured to maintain a mapping the token requestor ID generated for the token requestor and the public key of the token requestor (Byrd FIGs 5, 9, [0127], [0130]. After receiving 952 registration data and receiving 954 the CSR, API platform 432 assigns 956 a client ID to the developer's key alias. After a positive verification, API platform 432 stores 966 within memory device 422 the client ID and the signed digital certificate (developer's public key). The combination of the client ID and the developer's public key comprises the production key.). 
Kent further discloses wherein the modified certificate signing request comprises a public key associated with the token requestor (Kent FIG. 5, col: 9: 35-50, 60-64; col. 10: 5-10.  The RA workstation 110 may then prepare a certificate request by binding the user's public key, along with other information, such as a user ID, to a certificate (step 520). The RA workstation 110 may also cryptographically protect the certificate request by digitally signing the request using the RA's 110 private key. CA workstation 130 receives and examines the certificate request (step 530). The CA workstation 130 then verifies that the request came from RA workstation 110 by using the public key associated with RA workstation 110. That is, if the CA workstation 130 deter mines that the certificate did not come from RA workstation 110, the CA workstation 130 returns an error message.). 
The motivation is the same as that of claim 29 above. 

Claims 22 is rejected under 35 U.S.C. 103 as being unpatentable over Byrd et al. (“Byrd,” US 2012/0179907 A1, published July 12, 2012), in view of Kent (“Kent,” US 6671804 B1, patented Dec. 30, 2003), and further in view of de Geer (“de Geer,” US 2013/0304646, published Nov 14, 2013). 
Regarding claim 22, Byrd and Kent disclose the method of claim 21. Byrd and Kent do not explicitly disclose: wherein authenticating the token requestor by the registration authority computer comprises executing a know-your-customer process to authenticate the token requestor. 
However, de Geer, in an analogous art, discloses wherein authenticating the token requestor by the registration authority computer comprises executing a know-your-customer process to authenticate the token requestor (de Geer [0032]. FIG. 2 shows a block diagram of a KYC verification system 200 for performing an electronic KYC verification process, from hereinafter referred to as the verification process, according to an embodiment of the present invention. FIGS. 3a and 3b shows two flow charts 300,310 describing embodiments of the present invention for performing said verification process in said verification system 200.) 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective date of the claimed invention to combine the teachings of de Geer with the teachings of Byrd and Kent to include the step of: executing a know-your-customer process, to provide users with a means for a secure, reliable, efficient, and fully electronic KYC process for efficient and reliable identity authentication. (See de Geer [0028], [0032].). 
Claims 31 is rejected under 35 U.S.C. 103 as being unpatentable over Byrd et al. (“Byrd,” US 2012/0179907 A1, published July 12, 2012), in view of Kent (“Kent,” US 6671804 B1, patented Dec. 30, 2003), and further in view of Dimmick (“Dimmick,” US 20140164254, published June 12, 2014). 
Regarding claim 31, Byrd and Kent disclose the method of claim 29. Byrd further discloses: wherein the certificate signing request is received and transmitted within an authorization request message (Byrd FIG. 10 (step 952, 954), [0126], API platform receives CSR request and client registration data). 
Byrd and Kent do not explicitly disclose: an authorization request message conforming to the ISO 8583 transaction message format. 
However, Dimmick, in an analogous art, discloses a method wherein an authorization request message conforming to the ISO 8583 transaction message format (Dimmick [0031]. An authorization request message according to some embodiments may comply with ISO 8583, which is a standard for systems that exchange electronic transaction information associated with a payment made by a consumer using a payment device or payment account.).  
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective date of the claimed invention to combine the teachings of Dimmick with the teachings of Byrd and Kent to include the step of: an authorization request message conforming to the ISO 8583 transaction message format, to provide users with a means for using an ISO 8583 standard for exchanging electronic payment transaction information. (See Dimmick [0031]). 
Claims 24, 27 and 33 are rejected under 35 U.S.C. 103 as being unpatentable over Byrd et al. (“Byrd,” US 2012/0179907 A1, published July 12, 2012), in view of Kent (“Kent,” US 6671804 B1, patented Dec. 30, 2003), and further in view of Lee et al. (“Lee,” US 2016/0125402 A1, filed Oct 31, 2014). 
Regarding claim 24, Byrd and Kent disclose the method of claim 21. Byrd further discloses: 
comprising a digital signature generated by the token requestor computer using the token requestor ID generated by the certificate authority computer (Byrd [0127], [0131]. In the future, when developer application 410 sends 980 a message request to service provider computer system 402, API platform 432 receives 982 the message request which includes the client ID and a digital signature created with the private key of the developer. [The client ID has been provided to the developer during registration. See [0130]]),  
wherein transmitting the token provisioning request messages causes the [token provider] computer to retrieve the public key associated with the token requestor ID using the mapping and to verify the digital signature using the public key (Byrd [0131]. API platform 432 identifies 984 developer application 410 associated with the received message request by comparing the received client ID to the corresponding client ID stored within memory device 422. In addition, API platform 432 retrieves 986 the public key stored within memory device 422 and associate with the client ID. API platform 432 verifies 988 the digital signature used to sign the message request by using the public key retrieved 986 from memory device 422 to decrypt the message request.);
wherein transmitting the token to the token requestor computer causes the token requestor computer to transmit an authorization request message including the token (Byrd [0130] – [0131]. API platform 432 sends 968 the client ID and the signed digital certificate to the developer at developer computer device 404. [W]hen developer application 410 sends 980 a message request to service provider computer system 402, API platform 432 receives 982 the message request which includes the client ID and a digital signature created with the private key of the developer [and] the API platform authenticates the request message.).  
Byrd and Kent do not explicitly tech: receiving, by the registration authority computer, a token provisioning request message, the token provisioning request message, transmitting the token provisioning request message to the token provider computer, in response to transmitting the token provisioning request message, receiving, by the registration authority computer from the token provider computer, the token provisioned to the token requestor from by the token provider computer; and transmitting the token to the token requestor computer.  
However, Lee, in an analogous art, discloses a method for requesting and provisioning a payment token, comprising: 
 receiving, by the registration authority computer, a token provisioning request message, the token provisioning request message comprising a digital signature generated by the token requestor computer (Lee FIG. 6 (step S607), [0103] – [0104], Payment device 200 (i.e. registration authority computer) receives a payment request data comprising a digital signature.); 
transmitting the token provisioning request message to the token provider computer (Lee FIG. 6, [0105], the payment device transmits the payment request data to a payment server (i.e. certificate authority and token provider computer)) ; 
in response to transmitting the token provisioning request message, receiving, by the registration authority computer from the token provider computer, the token provisioned to the token requestor from by the token provider computer (Lee [0013], [0110], the payment server transmits an updated payment token to the payment device); 
and transmitting the token to the token requestor computer (Lee [0013], transmitting the updated payment token to the mobile device that submitted the payment request).
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Lee with the teachings of Byrd and Kent to include the steps of: a registration authority computer receive and transmit a token provisioning request message, the token provisioning request message comprising a digital signature generated by the token requestor computer, and the registration authority computer further receive and transmit a payment token, to provide users with a means for securely requesting a token with digital signatures and receiving an updated payment token from a payment server (See Lee [0103]-[0105], [0110]).
Regarding claim 27, Byrd, Kent and Lee disclose the apparatus of claim 24. Byrd further discloses transmitting the token provisioning request message to the token provider computer causes the token provider computer to decrypt the digital signature to generate decrypted information and compare the decrypted information against one or more data fields of the token provisioning request message (Byrd [0068], [0131]. API platform, using a public key, decrypts the message request (which includes the digital signature) and verifies digital signature. Furthermore, both the API platform and the certificate signing server are part of the service provider (SP) computer. Also note that the certificate authority and the registration authority can be one entity (see specification at [0045])). 
Regarding claim 33, Byrd and Kent disclose the registration authority computer of claim 29. Byrd further discloses:  
comprising a digital signature generated by the token requestor computer utilizing the token requestor ID generated by the certificate authority computer (Byrd [0127], [0131]. In the future, when developer application 410 sends 980 a message request to service provider computer system 402, API platform 432 receives 982 the message request which includes the client ID and a digital signature created with the private key of the developer. [The client ID has been provided to the developer during registration. See [0130]]), 
wherein transmitting the token provisioning request messages causes the [token provider] computer to obtain a public key associated with the token requestor ID and verify the digital signature using the public key (Byrd [0131]. API platform 432 identifies 984 developer application 410 associated with the received message request by comparing the received client ID to the corresponding client ID stored within memory device 422. In addition, API platform 432 retrieves 986 the public key stored within memory device 422 and associate with the client ID. API platform 432 verifies 988 the digital signature used to sign the message request by using the public key retrieved 986 from memory device 422 to decrypt the message request.). 
Lee further discloses: receiving a token provisioning request message comprising a digital signature (Lee FIG. 6 (step S607), [0103] – [0104], Payment device 200 (i.e. registration authority computer) receives a payment request data comprising a digital signature.); and 
transmitting the token provisioning request message to the token provider computer (Lee FIG. 6, [0105], the payment device transmits the payment request data to a payment server (i.e. certificate authority and token provider computer)). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Lee with the teachings of Byrd and Kent to include:  receiving a token provisioning request message comprising a digital signature and transmitting the token provisioning request message to the token provider computer, to provide users with a means for securely requesting a token with digital signatures and receiving an updated payment token from a payment server (See Lee [0103]-[0105], [0110]).
Claim 25 is rejected under 35 U.S.C. 103 as being unpatentable over Byrd et al. (“Byrd,” US 2012/0179907 A1, published July 12, 2012), in view of Kent (“Kent,” US 6671804 B1, patented Dec. 30, 2003) and Lee et al. (“Lee,” US 2016/0125402 A1, filed Oct 31, 2014), and further in view of Hamann et al. (“Hamann,” US 7,096,365 B1, patented August 22, 2006). 
Regarding claim 25, Byrd, Kent and Lee disclose the method of claim 21. Lee further discloses wherein the token provisioning request message comprises a digital signature (Lee FIG. 6, [0105], the payment device transmits the payment request data to a payment server (i.e. certificate authority and token provider computer)), the digital signature is generated based on the token requestor ID, an identifier associated with registration authority computer, an identifier associated with the token requestor, a terminal identifier, a time stamp (Lee [0051]. The mobile device 100 creates a digital signature through encrypting the payment device token that is received at S201and a user token that is stored in the mobile device 100, and creates payment request data that includes the created digital signature (S203). In particular, the mobile device 100 may encrypt a time stamp [ ] and make the encrypted time stamp further included in the digital signature.) 
Byrd, Kent and Lee does not explicitly teach: digital signature is generated based a message counter. 
 However, Hamann, in an analogous art, discloses a method for generating a digital signature comprising: digital signature is generated based a message counter (Hamann FIG. 5, Col. 5: 24-28, 36-40, signature counter information (i.e. message counter) is used with other information to generate a digital signature). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Hamann with the combined teachings of Byrd, Kent and Lee to include the steps of: digital signature is generated based a message counter, to provide user with a means to more securely generating digital signatures. (See Hamann Col. 5: 24-28, 36-40). 
Claims 26, 28 and 32 are rejected under 35 U.S.C. 103 as being unpatentable over Byrd et al. (“Byrd,” US 2012/0179907 A1, published July 12, 2012), in view of Kent (“Kent,” US 6671804 B1, patented Dec. 30, 2003) and Lee et al. (“Lee,” US 2016/0125402 A1, filed Oct 31, 2014), and further in view of Kirillin et al. (“Kirillin,” US 2013/0297513 A1, filed November 7, 2013).
Regarding claim 26, the Byrd, Kent and Lee disclose the method of claim 24. 
Byrd, Kent and Lee do not explicitly teach: notifying an authorization computer related to the token provisioning request message that the token has been provisioned to the token requestor, the authorization computer being associated with an issuer corresponding to the token-based transaction. 
However, Kirillin, in an analogous art, discloses notifying an authorization computer related to the token provisioning request message that the token has been provisioned to the token requestor, the authorization computer being associated with an issuer corresponding to the token-based transaction (Kirillin FIG,3 [0044]- [0046]. At 336, client device 303 can register for notifications with SMS gateway 309 and in response receive a device token from SMS gateway 309. At 340, client device 303 can send the session id, the certificate signing request, and the device token to bank server 305 which can then pass on the user id, the certificate signing request, and the device token to SPOC server 307. At 356, SPOC server 307 can validate the user id, OTP3, and OTP4 [and then sign] the certificate. At 358, the device certificate can be sent to bank server 305. At 360, the device certificate can be sent to client device 303.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Kirillin with the combined teachings of Byrd, Kent and Lee to include the steps of: notifying an authorization the token has been provisioned to the token requestor, to provide users with a means for improved network security through using a bank server and another SPOC server for validation and certificate signing. (See Kirillin [0046]).
Regarding claim 28, Byrd and Kent disclose the method of claim 21. 
Lee further discloses receiving, by the registration authority computer from the token requestor computer, the authorization request message associated with a token-based transaction, the authorization request message comprising the token and the digital signature generated by the token requestor computer (Lee FIG. 6 (step S607), [0103] – [0104], Payment device 200 (i.e. registration authority computer) receives a payment request data comprising a digital signature.); 
transmitting, by the registration authority computer to the token provider computer, the authorization request message (Lee FIG. 6, [0105], the payment device transmits the payment request data to a payment server (i.e. certificate authority and token provider computer)). 
 Byrd, Kent and Lee do not explicitly teach: wherein receipt of the authorization request message by the token provider computer causes the token provider computer to modify the authorization request message prior to sending the authorization request message to an authorization computer; receiving, by the registration authority computer, an authorization response message corresponding to the authorization request message; and transmitting, by the registration authority computer to the token requestor computer, the authorization response message.
However, Kirillin, in an analogous art, discloses a token provisioning method comprising: 
wherein receipt of the authorization request message by the token provider computer causes the token provider computer to modify the authorization request message prior to sending the authorization request message to an authorization computer (Kirillin FIG. 5A (step 524), [0054], client device can transmit the session ID and device token to bank server (i.e. certificate authority), and the bank server may extract a device ID and send the device id and device token (i.e. modified authorization request message) to SPOC server (i.e. authorization server)); 
receiving, by the registration authority computer, an authorization response message corresponding to the authorization request message (Kirillin FIG. 5A, [0055], upon SPOC authentication, SPOC server can transmit a “success” message to the bank server, and the bank server transmits the “success” message to the user device); and 
transmitting, by the registration authority computer to the token requestor computer, the authorization response message (Kirillin FIG. 5A, [0055], upon SPOC authentication, SPOC server can transmit a “success” message to the bank server, and the bank server transmits the “success” message to the user device).
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Kirillin with the combined teachings of Byrd, Kent and Lee to include to include the steps of: the certificate authority computer modifies the authorization request message prior to sending the authorization request message to an authorization computer; receiving an authorization response message and transmitting the authorization response message to the token requestor computer, to provide user with a means for providing a multi-factor user and device authentication before granting access to bank accounts. (See Kirillin [0055]). 
Regarding claim 32, claim 32 is directed to a registration authority computer corresponding to the method of claim 26. Claim 32 is similar in scope to claim 26 and is therefore rejected under similar rationale. 
Claims 34-36 are rejected under 35 U.S.C. 103 as being unpatentable over Byrd et al. (“Byrd,” US 2012/0179907 A1, published July 12, 2012), in view of Kent (“Kent,” US 6671804 B1, patented Dec. 30, 2003) and Lee et al. (“Lee,” US 2016/0125402 A1, filed Oct 31, 2014), and further in view of Biggs et al. (“Biggs,” US 2017/0034172 A1), filed July 30, 2015. 
Regarding claim 34, Byrd and Kent disclose the registration authority computer of claim 29. 
Lee further discloses:  wherein the token is a first token associated with a first token domain (Lee FIG. 6, [0103] – [0104], mobile device transmits a request data that includes a first token); 
transmitting a token provisioning request message to a certificate authority computer using the first token, wherein the token provider computer generates a second token in response to receiving the token provisioning request message (Lee FIG. 6, [0105], [0109], payment device transmits the request message to a payment server, where the payment server updates the payment and user tokens (i.e. second token)); 
receiving the second token from the token provider computer (Lee FIG. 6, [0110], payment server transmits updated token (i.e. second token) to the payment device); 
and transmitting the second token to the token requestor computer (Lee [0013], transmitting the updated payment token to the mobile device that submitted the payment request).
Byrd , Kent and Lee do not explicitly teach: the second token being associated with a second token domain that is different than the first token domain. 
However, Biggs, in an analogous art, discloses a token provisioning method comprising: the second token being associated with a second token domain that is different than the first token domain (Biggs FIG 2B, [0028], [0034] – [0035]. The first token, T, has a broader authorization scope (i.e. token domain) than the reduced scope access token T1. An operation is performed where access token T is submitted to an authorization server in exchange for a reduced scope token T1).  
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Biggs with teachings of Byrd, Kent and Lee to include: wherein the second token being associated with a second token domain that is different than the first token domain, to provide user with a means for restricting access to mobile device applications. (See Biggs [0035]). 
Regarding claim 35, Byrd, Kent, Lee and Biggs disclose the registration authority computer of claim 34. Byrd further discloses wherein the token provisioning request message is routed through a transport computer prior to being received by the token provider computer, and wherein the transport computer authenticates an identity of a token requestor associated with the token provisioning request message (Byrd FIGs 5, 10, [0075], [0126]-[0127]. The registration process will collect, and authenticate as required, the following data elements from the developer: first name, last name, username, password.  In addition to the registration data, API platform also receives 954 a certificate signing request (CSR) from developer computer device 404, which is uploaded through API portal 420. The CSR includes a public key associated with the developer. API platform 432 forwards 958 the registration data and the CSR to certificate signing server 434. Certificate signing server 434 verifies 960 the registration data, signs 962 the certificate request, and returns 964 the signed certificate to API platform 432 in real time.). 
Regarding claim 36, Byrd, Kent, Lee and Biggs disclose the registration authority computer of claim 34. Biggs further discloses wherein the first token domain is associated with a lesser security restriction than the second token domain (Biggs FIG 2B, [0028], [0034] – [0035]. The first token, T, has a broader authorization scope (i.e. token domain) than the reduced scope access token T1. An operation is performed where access token T is submitted to an authorization server in exchange for a reduced scope token T1).  
The motivation is the same as that of claim 34 above. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD LONG whose telephone number is (571)272-8961.  The examiner can normally be reached on Monday to Friday, 9 AM - 6  PM EST (Alternate Fridays).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




/EDWARD LONG/
Examiner, Art Unit 2439



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439