Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

DETAILED ACTION
Applicant filed an amendment on 3/28/22. Claims 9-12, 14-18 are presented and pending. No claims are canceled or amended. This action is a Final Rejection.


Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 9-12 and 14-18 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over
Golin 9652769 and Roth 20140229737

As per claims 14, 18 and 9 Golin discloses;
storing in a card vault component, a payment token in encrypted form and a corresponding token encryption key identifier; Golin (col. 2 lines 60-65)
Roth(0048, 0056token storage security module)
generating a data structure comprised of a first data encryption key stored in encrypted form Golin(col. 17, 19,  lines 1-10)  Roth(0085 key in encrypted for is decrypted)
and a second data encryption key stored in encrypted form and a corresponding first key identifier and second key identifier; 
Golin(col. 16) decrypting the first and second data encryption keys; Golin (col. 17, lines 5-10)
storing the decrypted first and second data encryption keys only in a local data memory of the (computer) that is executing the electronic payment transactions; 
Golin(col.15 lines 28-38, storing first and second keys, col. 6 lines 5-10 computer system)
determining the condition that at least one of the first and second data encryption key identifiers match the token encryption key identifier; Golin(col. 13, lines 30-45, token key identifier)
decrypting the payment token using one of either the first or second data encryption keys that is one generation older than the latest data encryption key; and 
Golin(col. 13 lines 45-50) processing the transaction using the decrypted payment token.  
Golin(col. 14 lines 1-10) Golin does not explicitly disclose “a server”. However Roth fig. 34 teaches a server. The motivation for the combination is that both references are directed to data security.

As per claims 10, 15 Golin does not explicitly disclose what Roth teaches;
 The system of Claim 9 where the local memory is one of: a CPU register, a CPU cache location, a CPU stack location.  Roth (0205 teaches a CPU)
The motivation for the combination is that both references are directed to data security.

As per claims 11, 16, Golin does not explicitly disclose what Roth teaches;
The system of Claim 9 where the local memory is volatile memory local to the CPU comprising the transaction server.  Roth(0207 volatile memory)
The motivation for the combination is that both references are directed to data security.

As per claims 12, 17 Golin discloses;
Golin(third tokens col. 16 lines 20-35)

Response to Arguments
Applicant filed an amendment on 3/28/22. Claims 9-12, 14-18 are presented and pending. No claims are canceled or amended. This action is a Final Rejection.

Rejections under 103 
Respectfully, Applicant traverses the rejection. Golin has nothing to do with a key rotation scheme for encrypting PANs as disclosed by Application. 

Golin's process is one that separates the credit card PAN from its use by means of a token. The distinction between key rotation and PAN tokenization is made clear by Golin. 

Here applicant might not be persuasive because while applicant argument is that Golin has nothing to do with a Key Rotation scheme for encrypting PANS, a re-read of Golin col. 15, 16 appears to teach key rotation and PAN. However, it is noted that “PAN” or primary account number is not claimed by applicant. Thus, applicant argument cannot be persuasive when PAN’s are not claimed nor is the word account claimed.  Thus, applicant argument is not persuasive because it is directed to language not claimed.


The comparison cited by Golin at column 15 is to compare a token that is derived from the PAN stored on one system to a token that is fetched from another system in order to confirm the second system is authorized to run a payment…. 
This is totally different from key rotation technique as claimed by Applicant for the purposes of encrypting a PAN in the first place with fresh encryption keys. 

The MPEP 2143 VI: teaches that "If the proposed modification or combination of the prior art would change the principle of operation of the prior art invention being modified, then the teachings of the references are not sufficient to render the claims prima facie obvious." In re Ratti, 270 F.2d 810, 813, 123 USPQ 349, 352 (CCPA 1959); see also Plas Pak v. Sulzer (Appeal No. 83-1281, Serial No. 124312 Fed. Cir. 2015)(citing In re Ratti as authority for this legal principle). Examiner's analysis leaves a lot to the imagination by skipping over specific claim limitations that are "key" to the invention. As the MPEP 2143.03 teaches, "All words in a claim must be considered in judging the patentability of that claim against the prior art." In re Wilson, 424 F.2d 1382, 1385, 165 USPQ 494, 496 (CCPA 1970). 

Here again the lack of PAN’s is going to make any argument directed to PAN’s not persuasive in view of the lack of claiming PANs. However, applicant could claim the PAN-Rotation scheme argued to further make the claims distinguish over the art, depending on how the “scheme” is claimed.  

For example, Examiner cites to Golin at 2: 60-65 as disclosing the claim element "encryption 
key identifier." Yet that section of Golin makes no mention of that: …. 


Here applicant might not be persuasive because Golin col. 15 for example contains encryption keys…..and identifiers, see also col. 16. In addition to the cited portions in col. 13.

The examiner goes on to cite Golin at 17:3-10 for disclosure of the claim element "decrypting the first and second data encryption keys....." Here is the passage: …


Yet this section describes the decryption of the "encrypted payment information", implying the 
PAN itself, not two data encryption keys as in the claim element, claimed by Applicant. It 
doesn't make sense. 


Here applicant takes the citations out of context. Col. 13 disclosed that the subjects of the encryption / decryption are Keys as does the tope of col. 17. “decrypts the encrypted payment information based on the first key…” A first key implies a second key, however, quite literally second key can be found in col. 16 line 1, and col. 15 for example.

Thus, applicant might not be persuasive here because the system of Golin is for encryption/decryption of keys. 


Further down, Examiner's rejection cites to Col. 13: 30-45 as disclosing the step of 
"determining the condition that at least one of the first and second data encryption key identifiers match the token encryption key identifier." Yet here is the section cited by the Examiner: ….

Here “the condition” may lack antecedent basis. It appears that applicant might be concerned about the literal term match…. Which can be found in col. 17. Lines 25-30 in regards to token encryption key identifiers.

The problem here is that the passage does not refer to two data encryption key identifiers subject to a matching test with a token encryption key identifier. Nothing in the passage suggests that the 
"second memory record of the token database" is an encryption key identifier. Reading on, the 
passage describes: …

Here, applicant is not persuasive because the language of the claims uses “at least one of the first and second data encryption key identifiers…” Broadly speaking at “least one “ only requires one though applicant could amend the claims to require two key identifiers. 

This remainder of the passage is interesting because it suggests that the Golin prior art is 
teaching away from using encryption and decryption to "generate the contents of a token and process same." MPEP §2145 X D 2 teaches that it is improper to combine references where the references teach away from their combination. In re Grasselli, 713 F.2d 731, 743, 218 USPQ 769, 779 (Fed. Cir. 1983) 

But in any case, earlier in Column 13, at lows 5-12, it is clear that only one encryption key is 
being discussed: …

Again, “at least one” only requires one… not two. The combination of references argument would not be persuasive as the examiner may combine related art under 35 USC 103(a) and a proper motivation was provided. 


Finally, the rationale presented in the rejection fails to show where in the prior art there is 
disclosure of the claim limitation "decrypting the payment token using one of either the first or second data encryption keys that is one generation older than the latest data encryption key." It is not prima facie obvious if one claim limitation is not disclosed by the cited prior art. 

 In conclusion applicant argues that the “obviousness” rejection cannot be sustained with mere conclusionary statements…

Here again. A combination can be asserted if it is reasonable. The applicant arguments regarding “first or second” may not be persuasive because “or” is a choice that does not require both elements.  

It is noted the instant application is a continuation of an allowed parent case. Thus, the examiner can and has offered to allow the instant case based on a broader version of the parent.





Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRUCE I EBERSMAN whose telephone number is (571)270-3442. The examiner can normally be reached 8:00 am - 5:00 pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Michael W Anderson can be reached on 571-270-0508. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BRUCE I EBERSMAN/Primary Examiner, Art Unit 3698