DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Status
As of the Office Action dated January 19, 2022 claims 1-20 were pending and claims 1-20 stood rejected.  Claims 1, 8 and 16 have been amended.  Claim 9 has been cancelled.  No claims have been added.  Claims 1-8 and 10-20 are therefore currently pending and are presented for examination on the merits.
Response to Arguments
Applicant’s argument with regard to the 35 U.S.C. § 103 rejection of claims 1-3, 5-11, 13-17 and 19-20 as being unpatentable over Donaldson et al. (U.S. Patent Publication 2019/0116037, hereinafter referred to as Donaldson) in view of citation to Bidgoli (“The Internet Encyclopedia”, volume 1, A-F, John Wiley & Sons, 2004) and alternatively in view of Lisbakken (U.S. Patent Publication 2012/0016749) has been fully considered and is persuasive.  After further consideration Examiner concurs that the Donaldson reference does not fairly teach that the fingerprint described in paragraph 0032 is a private key but rather a hash of the public key as defined in paragraph 0026.  Furthermore given that the generation operation now clearly recites that the code is being generated in a positive manner and that the generated code includes parameters for embedding the plurality of frames from at least one domain that is independent from a domain that hosts the webpage this language must be afforded patentable weight and is also different from what is taught by Donaldson because in Donaldson the content provider is generating the iframes and including a key generated by and received from the secure service (0026-0027) and therefore both key and code for the iframe are not being generated in the same operation by the same device in Donaldson, although it should also be pointed out that the language “at least one processor” does not require that only one processor be involved.  Therefore even though more than processor can be used in the generation step per the claim Donaldson cannot fairly be viewed as reading on the claim even when combined with Bidgoli or Lisbakken as notably neither reference teaches two key pairs or that the fingerprint fairly reads on a private key in general and a second key pair in particular.  Therefore this rejection is being withdrawn.
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Christian Ehret (Reg. No. 69,743) on June 1, 2022.
The application has been amended as follows: 
1.	(Previously Presented) A computer-implemented method for securely collecting data via a third-party webpage, comprising:
generating, with at least one processor, configuration data in response to a request from a first system, the configuration data comprising a public key of a first key pair and code configured to facilitate the first system to embed a plurality of frames in a webpage, the code including parameters for embedding the plurality of frames and loading content into the plurality of frames from at least one domain that is independent from a domain that hosts the webpage; digitally signing, with at least one processor, the configuration data based on a private key of a second key pair;
transmitting, with at least one processor, the configuration data to the first system;
verifying, with at least one processor, the configuration data based on a public key of the second key pair; and
receiving, from a master frame of the plurality of frames embedded in the webpage, encrypted data, the encrypted data comprising user data encrypted with the public key of the first key pair.

2.	(Original) The computer-implemented method of claim 1, further comprising:
decrypting, with at least one processor, the encrypted data based on a private key of the first key pair, resulting in the user data;
transmitting, with at least one processor, the user data to a token management system;
receiving, from the token management system, a transient token generated based on the user data; and
transmitting, with at least one processor, the transient token to at least one frame of the plurality of frames.

3.	(Original) The computer-implemented method of claim 2, wherein the first system is a merchant system, further comprising:
passing the transient token from the at least one frame to the merchant system;
receiving, from the merchant system, a transaction request comprising the transient token;
obtaining, from the token management system, the user data; and
generating an authorization request based on the user data.

4.	(Original) The computer-implemented method of claim 3, wherein the user data is temporarily stored in memory by the token management system, the method further comprising: deleting the user data after authorization based on the authorization request.

5.	(Original) The computer-implemented method of claim 1, wherein the public key of the second key pair is embedded in a library file for a client-side script.

6.	(Original) The computer-implemented method of claim 1, wherein the domain hosting the content loaded into the plurality of frames is hosted by a payment gateway system.

7.	(Original) The computer-implemented method of claim 2, further comprising: digitally signing, with at least one processor, the transient token based on the private key of the first key pair. 

8.	(Currently Amended) A system for securely collecting data via a third-party webpage, comprising:
at least one processor programmed or configured to:
generate configuration data in response to a request from a first system, the configuration data comprising a public key of a first key pair and code configured to facilitate the first system to embed a plurality of frames in a webpage, the code including parameters for embedding the plurality of frames and loading content into the plurality of frames from at least one domain that is independent from a domain that hosts the webpage;
digitally sign the configuration data based on a private key of a second key pair;
transmit the configuration data to the first system; and

receive, from a master frame of the plurality of frames embedded in the webpage, encrypted data, the encrypted data comprising user data encrypted with the public key of the first key pair; and
at least one other processor programmed or configured to: 
verify the configuration data based on a public key of the second key pair.

9.	(Cancelled).

10.	(Original) The system of claim 8, wherein the at least one processor is further programmed or configured to:
decrypt the encrypted data based on a private key of the first key pair, resulting in the user data;
transmit the user data to a token management system;
receive, from the token management system, a transient token generated based on the user data; and
transmit the transient token to at least one frame of the plurality of frames.

11.	(Original) The system of claim 10, wherein the at least one processor is further programmed or configured to:
pass the transient token from the at least one frame to the first system;
receive, from the first system, a transaction request comprising the transient token;
obtain, from the token management system, the user data; and
generate an authorization request based on the user data.

12.	(Original) The system of claim 11, wherein the user data is temporarily stored in memory by the token management system, and
wherein the at least one processor is further programmed or configured to:
delete the user data after authorization based on the authorization request.

13.	(Original) The system of claim 8, wherein the public key of the second key pair is embedded in a library file for a client-side script.

14.	(Original) The system of claim 8, wherein the domain hosting the content loaded into the plurality of frames is hosted by a payment gateway system.

15.	(Original) The system of claim 10, wherein the at least one processor is further programmed or configured to: 
digitally sign the transient token based on the private key of the first key pair. 
16.	(Currently Amended) A computer program product for securely collecting data via a third-party webpage, comprising at least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, cause the at least one processor to:
generate configuration data in response to a request from a first system, the configuration data comprising a public key of a first key pair and code configured to facilitate the first system to embed a plurality of frames in a webpage, the code including parameters for embedding the plurality of frames and loading content into the plurality of frames from at least one domain that is independent from a domain that hosts the webpage;
digitally sign the configuration data based on a private key of a second key pair;
transmit the configuration data to the first system, wherein the configuration data is verified based on a public key of the second key pair; 

receive, from a master frame of the plurality of frames embedded in the webpage, encrypted data, the encrypted data comprising user data encrypted with the public key of the first key pair; 
decrypt the encrypted data based on a private key of the first key pair, resulting in the user data;
transmit the user data to a token management system;
receive, from the token management system, a transient token generated based on the user data; and
transmit the transient token to at least one frame of the plurality of frames.

18.	(Original) The computer program product of claim 17, wherein the user data is temporarily stored in memory by the token management system, and
wherein the one or more instructions further cause the at least one processor to:
delete the user data after authorization based on the authorization request.

19.	(Original) The computer program product of claim 16, wherein the public key of the second key pair is embedded in a library file for a client-side script.

20.	(Original) The computer program product of claim 16, wherein the one or more instructions further cause the at least one processor to: 
digitally sign the transient token based on the private key of the first key pair.

Allowable Subject Matter
Claims 1-8 and 10-20 are allowed.
The following is an examiner’s statement of reasons for allowance:
As noted above Donaldson does not fairly teach or suggest the feature of digitally signing the configuration date based on a private key of a second key pair.  Examiner’s search did not reveal any clear teaching of code or configuration data that has been signed with the private key of a second key pair.  Armstrong (U.S. Patent 10,510,053) does teach the use of a second private key (claim 1) but Armstrong is directed towards the transfer of cryptocurrency and not the generation of frames in a webpage and is not suitable for combining with Donaldson or Bidgoli or Lisbakken.  X-Cart:PayPal (“X-Cart:PayPal – X-Cart 4 Classic”, retrieved from https://help.x-cart.com/X-Cart:PayPal, June 9, 2016, 23 pages) and PCI Data Security Standard (PCI DSS) (PCI Security Standards Council, April 2017, 64 pages) both teach the use of inline frames within a merchant website for receiving checkout credentials but fail to recite anything with regard to encryption involving a second key pair.  Therefore no prior art alone or in combination fairly teaches or suggests all of the elements of the claim.  As such claims 1-8 and 10-20 are held as being allowable over the prior art.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES D NIGH whose telephone number is (571)270-5486. The examiner can normally be reached 6:00 to 9:45 and 10:30 to 2:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on (571) 270-1492. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAMES D NIGH/Senior Examiner, Art Unit 3685