DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
This communication is in response to the application filed on 07/21/2021. Claims 1-20 are currently pending and have been examined.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/21/2021 and 09/24/2020 are being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. As shown below, the bolded limitations set forth and/or describe the abstract idea.

Claims 1-7 are directed to an Apparatus, claims 8-14 are directed to a Method, and claims 15-20 are directed to a System. Therefore, claims 1-20 are directed to a statutory category of invention under Step 1. 


Step 2A-1: Claim 8 recites: 
A method comprising: 
	receiving, by a hardware processor communicatively coupled to a memory and from a merchant, an authorization token, 
	the merchant communicating the authorization token in response to a user initiating a transaction with the merchant, the 5merchant stores the authorization token rather than payment credentials of the user; 
	after receiving the authorization token from the merchant, communicating, by the hardware processor and to the merchant, information for a masked payment card of the user; 
	after communicating the information for the masked payment card to the 10merchant, receiving, by the hardware processor, the information for the masked payment card and information for the transaction; 
	in response to receiving the information for the masked payment card and the information for the transaction, validating, by the hardware processor, that the information for the masked payment card is correct; and 
	15in response to validating that the information for the masked payment card is correct, communicating, by the hardware processor, information for an actual payment card of the user to complete the transaction.
	If a claim limitation, under its broadest reasonable interpretation, covers performance of ‘Fundamental economic principles or practices, commercial or legal interactions (including agreements in the form of contracts, legal obligations, advertising, marketing or sales activities or behaviors, business relations), managing personal behavior or relationships or interactions between people (including social activities, teaching , and following rules or instructions)’, then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas. 	For example, the disclosure establishes the context for receiving, identifying, sending, communicating, and authenticating financial data to process a payment transaction using masked credentials for securing online transactions. The above steps are providing a user masked credentials to process the payment transaction without storing the credentials with the merchant which are concepts that are in the grouping of Abstract ideas related to Certain Methods of Organizing specifically commercial or legal interactions (including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations). Therefore, the claim limitations recite an abstract idea, as highlighted above, is consistent with the receiving, identifying, sending, communicating, and authenticating aspects of certain methods of organizing human activity.
The claims recite an abstract idea within the grouping of abstract ideas that covers ‘certain methods of organizing human behavior’. Therefore, we proceed to Step 2A-2 of the analysis.
Independent Claims 1 and 15 recites similar features in system form, and therefore will be considered under the same rationale. 

Step 2A-2: This judicial exception is not integrated into a practical application. The additional elements in the claims (i.e. processor, memory, widget, access token, and merchant device) are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer component. 
Nothing in the specification shows that what is described in claim 1 (Apparatus), claim 8 (Method) and claim 15 (System) integrates a judicial exception into the practical application or an improvement upon the uses of an electronic device for typical functions. Recitation of the words "apply it" (or an equivalent) are no more than mere instructions to implement an abstract idea or other exception on a computer. As explained by the Supreme Court, in order to transform a judicial exception into a patent-eligible application, the additional element or combination of elements must do "‘more than simply state the [at a computer system] while adding the words ‘apply it’". Thus, for example, claims that amount to nothing more than cite an instruction to apply the abstract idea using a generic computer do not render an abstract idea eligible. 
Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The invention does not introduce an improvement on the process but only incorporates a computer to automate the process previously mentioned which is consistent with an abstract idea.  The claim does not integrate the abstract idea into a practical application. Therefore, we proceed to Step 2B of the analysis.

Step 2B. The claimed invention is directed to an abstract idea without significantly more. This judicial exception is not integrated into a practical application because: 
The claims 1, 8 and 15 do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform the ‘receiving, identifying, sending, communicating, and authenticating’ steps amounts to no more than mere instructions to apply the exception using a generic computer component. Using the broadest reasonable interpretation, the term ‘processor and memory’ could be interpreted as individuals performing functions with the aid of computer components.  Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. Therefore, the claims are not patent eligible.



Dependent claim analysis:
Dependent claims 2, 9 and 16 further recite “the information for the masked payment card is discarded after the transaction is completed.” This limitation merely describes instructions used to carry out the abstract idea and as such merely elaborates on the abstract idea identified in the claims above. There are no new additional elements beyond those analyzed in the claims above for further consideration under Steps 2A.2 or 2B. Therefore, claims 2, 9, and 16 are patent ineligible.
Dependent claims 3, 10, and 17 further recite “communicate an access token to the merchant after receiving the authorization token from the merchant; and receive the access token from the merchant before communicating the 30information for the masked payment card to the merchant.” This limitation merely describes instructions used to carry out the abstract idea and as such merely elaborates on the abstract idea identified in the claims above. Besides access token (which merely is a representation of data), there are no new additional elements beyond those analyzed in the claims above for further consideration under Steps 2A.2 or 2B. Therefore, claims 3, 10, and 17 are patent ineligible.
Dependent claims 4, 11, and 18 further recite “the information for the actual payment card is not communicated to the merchant.” This limitation merely describes instructions used to carry out the abstract idea and as such merely elaborates on the abstract idea identified in the claims above. There are no new additional elements beyond those analyzed in the claims above for further consideration under Steps 2A.2 or 2B. Therefore, claims 4, 11, and 18 are patent ineligible.
Dependent claims 5, 12, and 19 further recite “validate the authorization token before communicating the information for the masked 5payment card to the merchant.” This limitation merely describes instructions used to carry out the abstract idea and as such merely elaborates on the abstract idea identified in the claims above. There are no new additional elements beyond those analyzed in the claims above for further consideration under Steps 2A.2 or 2B. Therefore, claims 5, 12, and 19 are patent ineligible.
Dependent claims 6, 13, and 20 further recite “communicate a widget to a device of the user; receive, through interaction with the widget, authentication information from 10the user; authenticate the user using the authentication information; and after authenticating the user and before receiving the authorization token from the merchant, communicate the authorization token to the merchant.” This limitation merely describes instructions used to carry out the abstract idea and as such merely elaborates on the abstract idea identified in the claims above. Besides ‘widget’, which is merely a computer component that allows a user to perform a function, there are no new additional elements beyond those analyzed in the claims above for further consideration under Steps 2A.2 or 2B. Therefore, claims 6, 13, and 20 are patent ineligible.
Dependent claims 7 and 14 further recite “communicate a payment token to the merchant along with the information for the masked payment card.” This limitation merely describes instructions used to carry out the abstract idea and as such merely elaborates on the abstract idea identified in the claims above. There are no new additional elements beyond those analyzed in the claims above for further consideration under Steps 2A.2 or 2B. Therefore, claims 7 and 14 are patent ineligible.
Further, viewing the claim limitations as an ordered combination does not add anything further than looking at the claim limitations individually. When viewed, either individually or as an ordered combination, the additional claim limitations do not amount to a claim that, as a whole, is significantly more than the judicial exception.  Accordingly, claims 1-20 are patent ineligible.

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C.
102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the
statutory basis for the rejection will not be considered a new ground of rejection if the prior art
relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness
rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459
(1966), that are applied for establishing a background for determining obviousness under 35
U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or
nonobviousness.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Tang (US10,735,198) and further in view of Benkreira et. al (US2021/0365951) “Benkreira”.

Regarding claim 1, Tang teaches: An apparatus comprising: a memory; and a hardware processor (e.g. Fig. 2, data device) communicatively coupled to the memory, the hardware processor configured to
 […], communicate, to the merchant, information for a masked payment card (e.g. access token) of the user (Column 13, Lines 51-55: receive, from a merchant, an authorization token, the merchant communicating the authorization token in response to a user initiating a transaction with the merchant, the merchant stores the authorization token rather than payment credentials of the user)
after communicating the information for the masked payment card (e.g. access token) to the merchant, receive the information for the masked payment card and information for the transaction (Fig. 2, Items 230 and 235, Column 14: Lines 5-45)
in response to receiving the information for the masked payment card and the information for the transaction, validate that the information for the masked payment card is correct (Fig. 2, Items 240 and 245,Column 14: Lines 45-55)
in response to validating that the information for the masked payment card is correct, communicate information for an actual payment card of the user to complete the transaction (Fig. 2, Items 250, Column 14: Lines 57-67)

Tang does not explicitly teach receiving an authorization token and after receiving the authorization token, communicate the information for a masked payment card to the user, 
However, Benkreira, teaches:
receive, from a merchant (e.g. ATM machine), an authorization token (e.g. authentication), the merchant communicating the authorization token in response to a user initiating a transaction with the merchant, the merchant stores the authorization token rather than payment credentials of the user ([0049] As described above, user authentication methods may include at least biometric authentication, multifactor authentication, PIN-based authentication, and contactless card authentication. Upon successfully authenticating the user, the ATM may grant the user access to its services.
Examiner considers that the portion of the limitation which recites “the merchant communicating the authorization token in response to a user initiating a transaction with the merchant, the merchant stores the authorization token rather than payment credentials of the user”, found in the receiving step, is merely a recited intended use.  This portion is given little to no patentable weight because the limitation, or portion thereof, does not claim the function(s) as being positively recited actions or functions, and/or it does not add any meaning or purpose to the associated manipulative step(s).  See MPEP 2103 C and 2111.04.  Simply because the limitation recites something as being “for … [performing a specific functionality]”, etc. does not mean that the functions are required to be performed, or are actually performed.
after receiving the authorization token from the merchant, communicate, to the merchant, information for a masked payment card of the user (0049] At block 602, a user (e.g. customer) may be authenticated (e.g., at an ATM) and, based on the authentication, the user may be granted access to an interface (e.g., ATM interface). In examples, the user may go to ATM and request a merchant-specific payment apparatus (e.g., temporary payment card). Before the payment apparatus can be requested, the user may need to perform a successful authentication. As described above, user authentication methods may include at least biometric authentication, multifactor authentication, PIN-based authentication, and contactless card authentication. Upon successfully authenticating the user, the ATM may grant the user access to its services.)
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the validation and detokenization system of Tang with receiving the authorization token of Benkreira with the so that the apparatus can include a response for storing sensitive data in a tokenization system so that a merchant does not have direct access. This is done by utilizing tokens for processing a transaction and only providing the necessary information to the Merchant when required. 
In regards to claims 8 and 15, Method claim 8 and System claim 15 correspond generally to Apparatus claim 1, and recite similar features in system form, and therefore are rejected under the same rationale.

Regarding claim 2, Tang teaches: The apparatus of Claim 1, wherein 
	the information for the masked payment card is discarded after the transaction is completed (Column 15, Lines 15-20)
In regards to claims 9 and 16, Method claim 9 and System claim 16 correspond generally to Apparatus claim 2, and recite similar features in system form, and therefore are rejected under the same rationale.

Regarding claim 3, Tang does not explicitly teach 
communicate an access token to the merchant after receiving the authorization token from the merchant; and 
receive the access token from the merchant before communicating the information for the masked payment card to the merchant 

However, Benkreira, teaches: The apparatus of Claim 1, the hardware processor is further configured to:
	communicate an access token (e.g. granted access to the ATM) to the merchant after receiving the authorization token (e.g. authenticated) from the merchant; and ([0049])
receive the access token from the merchant before communicating the information for the masked payment card to the merchant ([0049] Upon successfully authenticating the user, the ATM may grant the user access to its services.)
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the validation and detokenization system of Tang with the authorization system of Benkreira with the so that the merchant does not have direct access to sensitive information. This is done by utilizing tokens for processing a transaction and only providing the necessary information to the Merchant when required. 
In regards to claims 10 and 17, Method claim 10 and System claim 17 correspond generally to Apparatus claim 3, and recite similar features in system form, and therefore are rejected under the same rationale.

Regarding claim 4, Tang teaches: The apparatus of Claim 1, wherein 
	the information for the actual payment card is not communicated to the merchant (Column 16: Lines 25-35: In block 410, the merchant device may analyze the access
token and determine the data device and/or data-holding entity that generated the access token. In some examples, the merchant device may also determine the type of information that the access token is associated with, e.g., the access token is associated with a street address, Social Security number, or a credit card number. Even in these examples, however, the analysis would not reveal to the merchant device the underlying private information, e.g., the street address, Social Security number, or credit card number. )
	In regards to claims 11 and 18, Method claim 11 and System claim 18 correspond generally to Apparatus claim 4, and recite similar features in system form, and therefore are rejected under the same rationale.

Regarding claim 5, Tang does not teach: 
	validate the authorization token before communicating the information for the masked payment card to the merchant 

However, Benkreira, teaches: The apparatus of Claim 1, the hardware processor is further configured to:
	validate the authorization token before communicating the information for the masked payment card to the merchant ([0049] At block 602, a user (e.g. customer) may be authenticated (e.g., at an ATM) and, based on the authentication, the user may be granted access to an interface (e.g., ATM interface). In examples, the user may go to ATM and request a merchant-specific payment apparatus ( e.g., temporary payment card). Before the payment apparatus can be requested, the user may need to perform a successful authentication.)
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the validation and detokenization system of Tang with the authorization system of Benkreira with the so that the merchant does not have direct access to sensitive information. This is done by utilizing tokens for processing a transaction and only providing the necessary information to the Merchant when required. 
	In regards to claims 12 and 19, Method claim 12 and System claim 19 correspond generally to Apparatus claim 5, and recite similar features in system form, and therefore are rejected under the same rationale.

Regarding claim 6, Tang does not teach: 
	communicate a widget to a device of the user
	receive, through interaction with the widget, authentication information from the user; 
authenticate the user using the authentication information; and 
	after authenticating the user and before receiving the authorization token from the merchant, communicate the authorization token to the merchant 

However, Benkreira, teaches: The apparatus of Claim 1, the hardware processor is further configured to:
	communicate a widget (e.g. atm interface) to a device of the user ([0049]
	receive, through interaction with the widget, authentication information from the user; (e.g. biometric authentication, PIN-based authentication), ([0049])
	authenticate the user using the authentication information; and ([0049])
	after authenticating the user and before receiving the authorization token from the merchant, communicate the authorization token to the merchant ([0049])
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the validation and detokenization system of Tang with the widgets of Benkreira with the so that the user can more easily interact with the merchant interface. This is done by utilizing tokens for processing a transaction and only providing the necessary information to the Merchant when required. 
In regards to claims 13 and 20, Method claim 13 and System claim 20 correspond generally to Apparatus claim 6, and recite similar features in system form, and therefore are rejected under the same rationale.

Regarding claim 7, Tang teaches: The apparatus of Claim 1, the hardware processor further configured to 
	communicate a payment token to the merchant along with the information for the masked payment card (Column 14: Lines 53-63, Column 20, Lines 20-40)
	Examiner notes that one of ordinary skill in the art would understand that, from reading the reference, that in order to complete a transaction as outlined in Column 20, Lines 20-40, a payment token would reasonably be sent along with the detokenized card information.
In regards to claim 14, Method claim 14 corresponds generally to Apparatus claim 7, and recite similar features in system form, and therefore is rejected under the same rationale.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent Application #16934282. Although the claims at issue are not identical, they are not patentably distinct from each other because they are very similar in scope and the claims of the U.S. Patent Application are narrower than those in the instant application (see the chart below).

U.S. Patent Application 16934245
U.S. Patent Application #16934282
Claim #1
An apparatus comprising: 
a memory; and a hardware processor communicatively coupled to the memory, the hardware processor configured to: 

Claim #1
A credential security apparatus comprising: a memory; and a hardware processor communicatively coupled to the memory, the hardware processor configured to: 



Claim #2
the information for the masked payment card is discarded after the transaction is completed.
Claim #3
wherein the masked payment card is discarded after the masked payment card is used to facilitate a transaction by the user.
Claim #3
communicate an access token to the merchant after receiving the authorization token from the merchant; and 

receive the access token from the merchant before communicating the information for the masked payment card to the merchant.
 send the access token to the merchant; receive, from the merchant, the access token; 


generate a masked payment card, establish the session with the merchant using the received access token;
Claim #6

communicate a widget to a device of the user; receive, through interaction with the widget, 

authentication information from the user; 
authenticate the user using the authentication information; and 

after authenticating the user and before receiving the authorization token from the merchant, communicate the authorization token to the merchant.






send a widget to a device of the user; 


after sending the widget to the device of the user, receive an authentication confirmation indicating that the user is authenticated to use the payment credentials, 

wherein the authentication confirmation is provided through user interaction with the widget at the device of the user; receiving the authentication confirmation indicating that the user is authenticated, 
receive, from a merchant, an authorization token, 

after receiving the authorization token from the merchant, communicate, to the merchant, information for a masked payment card of the user;



the merchant communicating the authorization token in response to a user initiating a transaction with the merchant, the merchant stores the authorization token rather than payment credentials of the user; 
receive the authorization token from the merchant; 69071401ATTORNEY DOCKET NO.:PATENT APPLICATION 015444.1672USSN 16/934,282 

the masked payment card comprising temporary payment credentials different than the payment credentials that the user attempted to store in memory of the merchant device; and 

further improve security of the payment credentials that the user attempted to store in memory of the merchant device by sending the masked card to the merchant without storing the payment credentials in memory of the merchant device.
after communicating the information for the masked payment card to the merchant, receive the information for the masked payment card and information for the transaction;
Fig. 3B, Summary of the Invention: “The merchant stores the authorization token rather than payment credentials of the user. The hardware processor, after receiving the authorization token from the merchant, communicates, to the merchant, information for a masked payment card of the user and after communicating the information for the masked payment card to the merchant, receives the information for the masked payment card and information for the transaction.”
in response to receiving the information for the masked payment card and the information for the transaction, validate that the information for the masked payment card is correct; and
Summary of the Invention: The hardware processor also, in response to receiving the information for the masked payment card and the information for the transaction, validates that the information for the masked payment card is correct and 
in response to validating that the information for the masked payment card is correct, communicate information for an actual payment card of the user to complete the transaction.
Summary of the Invention: in response to validating that the information for the masked payment card is correct, communicates information for an actual payment card of the user to complete the transaction.




Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Each of the prior art listed in the PTO-892 and not directly recited in this office action, disclose anticipation and/or obviousness to combine concerning the applicant’s claims and are therefore included.
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to TERRY N MURRAY whose telephone number is (313)446-6556. The examiner can normally be reached Monday-Thursday 6 AM-4 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patrick McAtee can be reached on (571) 272-7575. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/T.N.M./Examiner, Art Unit 3685                                                                                                                                                                                                        
/JACOB C. COPPOLA/Primary Examiner, Art Unit 3685