DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/28/2022 has been entered.

Status of Claims
•	This action is in reply to the RCE filed on 02/28/2022.
•	Claims 1, 10 and 19 have been amended and are hereby entered.
•	Claims 3, 8, 13, and 18 have been canceled.
•	Claims 1-2, 4-7, 9-12, 14-17, and 19 are currently pending and have been examined. 
•	This action is made Non-FINAL.

Response to Arguments
Applicant’s arguments filed January 12, 2022 have been fully considered but they are not persuasive.
The Examiner is withdrawing the 35 USC § 112 rejections due to Applicant’s amendments.
New claim objections have been entered.
New 35 USC § 112 rejections have been entered.
Applicant’s arguments with respect to 35 USC § 103 have been fully considered and are not persuasive.
Regarding Applicant’s arguments on page 9 regarding the claim limitation of “wherein the enablement token has an expiration,” the arguments have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Regarding Applicant’s arguments on pages 9-11, that Kalgi does not teach an electronic wallet identifier that identifies the financial institution electronic wallet to the merchant host, the Examiner respectfully points out that Purves teaches this limitation at least at [0013], disclosing a CallID that is used by the merchant to identify transactions between the merchant and the wallet platform, and at least at [0037], disclosing the CallID is used by the merchant to obtain information from wallet platform.  The Examiner is interpreting the CallID as an electronic wallet identifier that identifies the financial institution wallet to the merchant host.  The cited art of record therefore teaches this limitation.
For the reasons above, Applicant’s arguments are not persuasive. 

Claim Objections
Regarding claim 1, claim 1 recites “a customer account with the merchant,” “a customer logs into the merchant account,” and “the customer account with the merchant.”  For clarity and consistency, the Examiner recommends amending these limitations to be consistent with each other so that it is clear that these accounts are all referring to the same account.
Claim 10 recites similar limitations as claim 1 above and is objected to under the same rationale.
Furthermore regarding claim 1 is objected to because of the following informalities:  Claim 1 recites the limitation “and the merchant host sends the financial institution electronic wallet identifier-to the merchant user interface.”  This limitation is grammatically incorrect because there is a hyphen between the words “identifier” and “to.”
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-2, 4-7, 9-12, 14-17, and 19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding claim 1, claim 1 recites the limitation “sending, by the financial institution backend, an electronic wallet identifier that identifies the financial institution electronic wallet to the merchant host, and the merchant host sends the financial institution electronic wallet identifier-to the merchant user interface.”  This limitation is confusing because it’s not clear whether the step of “the merchant host sends the financial institution electronic wallet identifier to the merchant user interface” is actually being performed or if the step is merely a consequence of the “sending, by the financial backend institution” step.  Was “sending, by the merchant host, the financial institution electronic wallet identifier to the merchant user interface” meant here?
Regarding claim 10, claim 10 recites a system with multiple components, followed by a wherein clause that introduces a series of steps.  Claim 10 is confusing because it is not clear how the steps after the “wherein” clause are tied to the claimed system components.  The metes and bounds of the claim are not clear, and therefore renders the claim indefinite under 112(b).  The Examiner recommends amending the claim to tie in the steps to the components, for example, reciting a financial institution backend comprising at least one computer processor configured to perform claimed functions.
Claims 2, 4-7, 9, 11-12, 14-17, and 19 are rejected due to their dependency to a rejected claim.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-2, 4, 6, 10, 14, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over US 2018/0108008 (“Chumbley”) in view of US 20120173431 A1 (“Ritchie”), in further view of US 2018/0121917 (“Purves”), and in further view of US 2015/0019944 (“Kalgi”).
Regarding claim 1, Chumbley discloses a method for linking a plurality of accounts using an enablement token, comprising: 
receiving, at a financial institution backend and from a financial institution user interface presented on an electronic device, a request (A user may wish to link the account data to a resource specific token that can be used to conduct a transaction with a specific resource provider.  The user may generate a request for the resource provider specific token, which may comprise a resource provider ID such as a merchant name or merchant ID entered by the user.  The request may be generated using the interface provided by a digital wallet application.  For example, the interface may display a list of merchant names that the user may select and then assign account information using an “add” button adjacent to a visualization of the account selection.  Once the request has been generated, the request is transmitted by the user device over a network and received by digital wallet server computer.  See at least [0061]-[0062].  A user may send account data, including an account identifier, such as an account number, a routing number, a card verification value (CVV or CVV2), etc., to a digital wallet, where it is stored in a digital wallet database.  See at least [0056]-[0057] and [0060].  A resource provider may be a merchant.  See at least [0047].  A digital wallet provider may be an issuing bank.  See at least [0046].  The Examiner interprets the digital wallet server computer as the financial institution backend.  The Examiner also interprets the resource provider as the merchant.)
from a customer in a browser session with the financial institution user interface (The digital wallet has a user interface presented on an electronic device.  See at least [0103], and [0023]-[0025].  See also FIG. 9.  The user may interact with the application via a website associated with the digital wallet server computer.  See at least [0061].  See also [0056].  The user device may use HTTP and HTTPS protocol to communicate data in the system.  See at least [0111].  The Examiner interprets the user accessing a website on the user device and using the website to interact with the digital wallet as the customer in a browser session.)
to link a financial institution electronic wallet to a customer account with a merchant (A user may send account data, including an account identifier, such as an account number, a routing number, a card verification value (CVV or CVV2), etc., to a digital wallet, where it is stored in a digital wallet database.  See at least [0056]-[0057] and [0060].  A user may wish to link the account data to a resource specific token that can be used to conduct a transaction with a specific resource provider.  The user may generate a request for the resource provider specific token, which may comprise a resource provider ID such as a merchant name or merchant ID entered by the user.  The request may be generated using the interface provided by a digital wallet application.  For example, the interface may display a list of merchant names that the user may select and then assign account information using an “add” button adjacent to a visualization of the account selection.  Once the request has been generated, the request is transmitted by the user device over a network and received by digital wallet server computer.  The digital wallet server computer links the resource provider specific token with the resource provider identifier and account selection in digital wallet database. See at least [0061]-[0062].  The Examiner interprets the resource provider identifier and account selected by the user as “a customer account with the merchant.”  See for example FIG. 3 that depicts a customer account with the merchant, depicting a resource provider specific token with a merchant ID (the resource provider ID) and a payment account name and PAN number to be used in transactions with the particular merchant.);
generating, by the financial institution backend, an enablement token that is mapped to the financial institution and to the merchant (Once the request has been generated, the request is transmitted by the user device over a network and received by digital wallet server computer.  The digital wallet server may send a request to token provider server computer, which sends the token over to the digital wallet server computer.  The digital wallet server computer links the resource specific token with the resource provider identifier and account selection in the digital wallet database.  See at least [0062].  The Examiner interprets the digital wallet server receiving a token and linking the token to a resource provider identifier and account selection of the user as generating the enablement token.),
sending, by the financial institution backend, the enablement token to the financial institution user interface (The digital wallet server computer then sends the resource provider specific token to user device where it is displayed or stored by user device.  The resource specific tokens may be displayed to the user using an interface provided by a digital wallet application or website associated with the digital wallet server computer.  See at least [0062]-[0063].);
navigating the browser session to a merchant user interface presented on the user device (A method may begin with a user obtaining a resource specific token stored or displayed on the user device.  The resource specific token by be obtained according to the system described with respect to FIG. 1 (described in Chumbley at [0054]-[0063]).  The user may establish a connection with the resource provider via the Internet in an e-commerce transaction.  The resource provider specific token may be provided to the resource specific system via data forms on the resource provider website.  The resource provider token and user details may be auto-filled into the data form of the resource provider website by the user device.  See at least [0065]-[0067].  The merchant website may be displayed on the user’s device.  See at least [0065] and FIG. 2, user accessing the Resource Provider System via User Device 220.);
providing the enablement token to the merchant user interface (The user may establish a connection with the resource provider via the Internet in an e-commerce transaction.  The resource provider specific token may be provided to the resource specific system via data forms on the resource provider website.  The resource provider token and user details may be auto-filled into the data form of the resource provider website by the user device.  See at least [0065]-[0067].), 
wherein the merchant user interface provides the enablement token and an identifier for the customer account with the merchant to a merchant host (The resource provider specific token may be provided to the resource specific system via data forms on the resource provider website.  The resource provider token and user details may be auto-filled into the data form of the resource provider website by the user device.  Once the resource provider system has received the resource provider specific token from the user and/or user device, the resource provider system may store the resource provider specific token along with any user details entered by the user in the user account database of the resource provider system.  See at least [0067]-[0068].  The user may enter details via a data form that include a user’s name, shipping address, etc.  See at least [0067].  Digital wallet server computer then links the resource provider specific token with the resource provider identifier and account selection in digital wallet database. The resource provider specific token may further be linked to user details associated with the wallet ID and/or digital wallet account of user such as user name, device information, shipping address, etc.  See at least [0062].  The Examiner interprets the user details, such as a user name or shipping address, as an identifier for the customer account with the merchant.  Since the user name or shipping address is linked to the resource provider specific identifier and account select, the user name or the shipping address therefore is an identifier for the customer account.); 
receiving, by the financial institution backend and from the merchant host, the enablement token and the identifier for the customer account with the merchant (To conduct a transaction, the resource provider system may generate an authorization request comprising the transaction data such as account data comprising data entered into data form by user or user device including the resource provider specific token and user details.  The authorization request is forwarded through to the token service, and the token service sends the authorization request, comprising the resource provider specific token, to the digital wallet server computer.  See at least [0069].);
verifying, by the financial institution backend, the enablement token (The digital wallet server computer then sends the token back to the token service provider for validation, and the token service validates the authorization request.  See at least [0069]-[0070].  The validation may also be performed by the digital wallet server computer.  See at least [0071].);
sending, by the financial institution backend, an identifier (Authorizing system may submit a real account number.  See at least [0072].  Authorizing system may be part of digital wallet server network.  See at least [0065] and FIG. 2.). 

While Chumbley discloses an enablement token, Chumbley does not expressly disclose wherein the enablement token has an expiration.  Furthermore, while Chumbley discloses navigating the browser session to a merchant user interface, Chumbley does not expressly disclose that navigating is by redirecting, by the financial institution user interface, the browsing session.  Nor does Chumbley expressly disclose wherein a customer logs in to the merchant account using the merchant user interface.  Furthermore, while Chumbley discloses providing the enablement token to the merchant user interface, Chumbley does not expressly disclosing that providing the enablement token is by the financial institution user interface.  Furthermore, while Chumbley discloses verifying by the financial institution backend, Chumbley does not expressly disclose verifying that the enablement token has not expired.  Furthermore, while Chumbley discloses the financial institution backend sending an identifier, Chumbley does not expressly disclose sending an electronic wallet identifier that identifies the financial institution electronic wallet to the merchant host.  Nor does Chumbley expressly disclose the merchant host sends the financial institution electronic wallet identifier to the merchant user interface.  

However, Ritchie discloses wherein the enablement token has an expiration;  verifying that the enablement token has not expired (After confirming the token has not expired, the token transaction processing program can transmit an communication or indication to the token transaction processing program and/or merchant system that the token transaction has been authenticated, validated, or otherwise approved.  See at least [0108].).
From the teaching of Ritchie, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the token of Chumbly to have an expiration, as taught by Ritchie, and to modify the verifying of Chumbley to verify that the token has not expired, as taught by Ritchie, in order to improve security of retail transactions (see Ritchie at least at [0002]-[0003]).

While Chumbley discloses navigating the browser session to a merchant user interface, Chumbley does not expressly disclose that navigating is by redirecting, by the financial institution user interface, the browsing session.  Nor does Chumbley expressly disclose wherein a customer logs in to the merchant account using the merchant user interface.  Furthermore, while Chumbley discloses providing the enablement token to the merchant user interface, Chumbley does not expressly disclosing that providing the enablement token is by the financial institution user interface.  Furthermore, while Chumbley discloses the financial institution backend sending an identifier, Chumbley does not expressly disclose sending an electronic wallet identifier that identifies the financial institution electronic wallet to the merchant host.  Nor does Chumbley expressly disclose the merchant host sends the financial institution electronic wallet identifier to the merchant user interface.  

However, Purves discloses navigating is by redirecting, by the financial institution user interface, the browsing session (A consumer may be online with an issuer in the course of normal business (e.g., online with issuer to check balance or make a payment).  The issuer may present an offer to the consumer to allow conversion of his or her credit card held at the merchant to a token-based account.  When the consumer approves the offer, the issuer may interface with a wallet platform to facilitate tokenization request and to redirect the consumer to the merchant by web-redirect and post message.  See at least [0020]-[0023].  Issuer and merchant are associated with and accessible by websites.  See at least [0025]-[0026] and [0032].  The Examiner interprets the consumer interacting with the interface of the financial institution and being redirected from the financial institution interface to the merchant interface by accepting an offer offered by the financial institution interface as “redirecting by the financial instition.”);
providing the enablement token is by the financial institution user interface (A consumer may be online with an issuer in the course of normal business (e.g., online with issuer to check balance or make a payment).  The issuer may present an offer to the consumer to allow conversion of his or her credit card held at the merchant to a token-based account.  When the consumer approves the offer, the issuer may pass the consumer/cardholder account information or relevant portion to the wallet platform, which may communicate with the token service provider to generate a tokenized card number, and then send a payload (which includes the tokenized card number) to the merchant.  See at least [0020]-[0023]. Issuer and merchant are associated with and accessible by websites.  See at least [0025]-[0026] and [0032].);
sending an electronic wallet identifier that identifies the financial institution electronic wallet to the merchant host (The wallet platform generates and sends to the merchant a CallID.  See at least [0018] and [0022]-[0023].  A merchant stores a CaIIID which is used to identify transactions between the merchant and the wallet platform.  See at least [0013].  The CallID is used by the merchant to obtain information from wallet platform.  See at least [0037].  The Examiner interprets the CallID as an electronic wallet identifier that identifies the financial institution wallet to the merchant host.).
From the teaching of Purves, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify Chumbley by the navigating of Chumbley being a page redirect, as taught by Purves, and by the providing of the enablement token step of Chumbley being performed by the financial institution, using the technique taught by Purves, and to modify Chumbly to send an electronic wallet identifier that identifies the financial institution electronic wallet to the merchant host, as taught by Purves, in order to increase security (see Purves at least at [0004], [0014], and [0016]).

Chumbley does not expressly disclose a customer logs in to the merchant account using the merchant user interface.  Nor does Chumbley expressly disclose the merchant host sends the financial institution electronic wallet identifier to the merchant user interface.  

However, Kalgi discloses a customer logs in to the merchant account using the merchant user interface (Account is a customer account associated with a merchant (e.g., Nordstrom).  See at least FIG. 5B, Merchant Account Login UI.  See also [0098].  See also FIG. 8a, Screen 815a.);
and the merchant host sends the financial institution electronic wallet identifier to the merchant user interface (In one implementation, the customer sign in may be a trigger for the merchant to make an API/JAVASCRIPT call to the wallet service to obtain a payment method. For example, the payment method obtained from the wallet may be a payment method nickname (e.g., my personal account). See at least [0098] and FIG. 8b at (5), showing the Merchant Site 825 displaying the Payment Method 825c. The merchant server may utilize callbacks (which includes the customer ID that is unique to the customer-merchant relationship) via APIs, inline widgets, etc.,to pull user information from the wallet. See at least [0104] and [0091]. The merchant may display a wallet window as an interactive element injected onto the merchant’s website. See at least [0092]-[0093]. See also FIG. 5C, widget 530a and 530b. The Examiner interprets the merchant injecting the merchant website with the wallet using callback including customer ID as the merchant host sending the electronic wallet identifier to the merchant user interface. The merchant uses the customer ID to display the wallet onto the merchant website. (see also [0088], where the initial connection between an entity and a wallet creates a customer identifier unique to that relationship).  See also FIG. 5, the V.me wallet widget displayed on the merchant user interface. ). 
From the teaching of Kalgi, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify Chumbley to allow the customer to login using the merchant interface, as taught by Kalgi, and to modify the merchant host of Chumbley to send the financial institution electronic wallet identifier to the merchant user interface, as taught by Kalgi, in order to increase security of customer information (see Kalgi at least at [0049]-[0050] and [0088]), and in order to improve the user experience (see Kalgi at least at [0186]).  

Regarding claim 2, the combination of Chumbley, Ritchie, Purves, and Kalgi discloses the limitations of claim 1, as discussed above, and Chumbley further discloses the financial institution user interface comprises a browser tab for the financial institution (A digital wallet application may be stored in the memory of user device 220 or a website, that provides the interface, associated with digital wallet server computer 240.  See at least [0073].  See also [0056].).

Regarding claim 4, the combination of Chumbley, Ritchie, Purves, and Kalgi discloses the limitations of claim 1, as discussed above, and Chumbley further discloses the enablement token comprises an alphanumeric string (A token may include a series of alphanumeric characters that may be used as a substitute for an original account identifier.  See at least [0039].).

Regarding claim 6, the combination of Chumbley, Ritchie, Purves, and Kalgi discloses the limitations of claim 1, as discussed above, and Chumbley further discloses the enablement token comprises a state (The digital wallet server computer may then change the entry for “last update” 360 linked to the resource provider specific token to the current date and time.  See at least [0078].  See also [0106].).

Claim 10 has similar limitations found in claim 1 above, and therefore is rejected by the same art and rationale.  And Chumbley further discloses a financial institution backend comprising at least one computer processor (see at least [0023] and FIG. 1.  See also [0028].  See also [0109]-[0113].); a financial user interface presented in a browser executed by a mobile device (see at least [0023]-[0026] and FIG. 1.); a merchant host for the merchant user interface comprising at least one computer processor (see at least [0065] and FIG. 2.  See also [0028].  See also [0109]-[0113].).  

Claim 14 has similar limitations found in claim 4 above, and therefore is rejected by the same art and rationale.

Claim 16 has similar limitations found in claim 6 above, and therefore are rejected by the same art and rationale.

Claims 5, 12, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Chumbley in view of Ritchie, in further view of Purves, in further view of Kalgi, and in further view of US 2018/0150832 (“Badal-Badalian”)
Regarding claim 5, the combination of Chumbley, Ritchie, Purves, and Kalgi discloses the limitations of claim 1, as discussed above.  Chumbley does not expressly disclose the enablement token comprises a token expiration field.

However, Badal-Badalian discloses the enablement token comprises a token expiration field (A token may include an expiration field, for example, paymentTokenExpiry = “2017-03-14T15:37:25.”  See at least [0213].).
From the teaching of Badal-Badalian, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify Chumbley by the enablement token comprising a token expiration field, as taught by Badal-Badalian, in order to enhance security by reducing security risks associated with logging into merchant websites.  (See Badal-Badalian at least at [0003] and [0141]).


Regarding claim 12, the combination of Chumbley, Ritchie, Purves, and Kalgi discloses the limitations of claim 10, as discussed above, and Chumbley further discloses the first provider user interface comprises a browser tab for the first provider (A digital wallet application may be stored in the memory of user device 220 or a website, that provides the interface, associated with digital wallet server computer 240.  See at least [0073].  See also [0056].).

Chumbley does not expressly disclose the second user interface comprises a browser tab for the second provider. 

However, Badal-Badalian discloses the second user interface comprises a browser tab for the second provider (In some embodiments, the merchant website 106 may be accessed using mobile device 114 using a mobile browser or may be part of an application residing on a mobile device 114 or another device.  See at least [0266].  See also FIG. 20-21.).
From the teaching of Badal-Badalian, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify Chumbly by the second user interface being on the mobile device, as taught by Badal-Badalian, in order to enhance security by reducing security risks associated with logging into merchant websites.  (See Badal-Badalian at least at [0003] and [0141]).

Claim 15 has similar limitations found in claim 5 above, and therefore is rejected by the same art and rationale.

Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Chumbley in view of Ritchie, in further view of Purves, in further view of Kalgi, and in further view of US 2015/0206136 (“Maddocks”).
Regarding claim 7, the combination of Chumbley, Ritchie, Purves, and Kalgi discloses the limitations of claim 6, as discussed above.  Chumbley does not expressly disclose the state is one of issued, consumed, and terminated.

However, Maddocks discloses the state is one of issued, consumed, and terminated (In addition or alternatively, the shared CVM applet 304 may store information that records the status of at least some CVM tokens that it issues, where the status may be, for example, "issued, not consumed" or "issued, consumed".  See at least [0052].).
From the teaching of Maddocks, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify Chumbly by the token comprising a state of issued or consumed, as taught by Maddock, in order to assure issued tokens are only used once.  (See Maddocks at least at [0052]).

Claim 17 has similar limitations found in claim 7 above, and therefore are rejected by the same art and rationale.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Chumbley in view of Ritchie, in further view of Purves, in further view of Kalgi, in further view of US 10,937,025 (“Sahni”), and in further view of US 9,596,606 (“Palmer”).
Regarding claim 9, the combination of Chumbley, Ritchie, Purves, and Kalgi discloses the limitations of claim 1, as discussed above.  Chumbley does not expressly disclose receiving, at an Application Programmable Interface (API) gateway for the financial institution, a client secret from the merchant; and the API gateway validating the client secret before validating the enablement token.

However, Sahni discloses receiving, at an Application Programmable Interface (API) gateway for the financial institution, a client secret (The financial institution computing system includes various logic modules, including API manager logic which controls operations of the APIs provided by the financial institution computing system.  The APIs provide various services via an API gateway.  See at least col 4, lines 6-25.  See also FIG. 1, API Gateway 122 of Financial Institution Computing System 102.  See also col. 14, lines 34-50.  Client passcode is received via API gateway.  See at least col. 7, lines 37-56).
From the teaching of Sahni, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify Chumbly by the first provider backend including an API gateway, as taught by Sahni, in order to enhance security and reduce risk of fraudulent transactions (see Sahni at least at col. 1, lines 25-43).

Chumbley does not expressly disclose the first provider receiving a client secret from the merchant; and validating the client secret before validating the enablement token.

However, Palmer discloses the first provider receiving a client secret from the merchant (Content provider device 160 may send an authentication request to API gateway device 170 (M602). The authentication request M602 may include the credentials (e.g., client ID and/or client secret). API gateway device 170 may generate a timestamp (T1) upon receiving the authentication request M602 (Block 615).  See at least col. 12, lines 4-45.  See also col. 5, lines 44-63; and FIG. 6, steps 605-645 and steps M602-M606.); and
validating the client secret before validating the enablement token (The API Gateway may then obtain the access token that may be used for authentication and/or validation of the content provider device 160.  See at least col. 12, lines 4-45.  See also col. 5, lines 44-63; and FIG. 6, steps 605-645 and steps M602-M606.).
From the teaching of Palmer, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify Chumbley by the API gateway receiving a client secret from the second provider, as taught by Palmer, in order to enhance security and to reduce burden of entities interacting with a variety of infrastructure devices. (See Palmer at least at col. 1, line 55 to col. 2, line 30; see also Palmer at col. 1, lines 7-15.).

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Chumbley in view of Ritchie, in further view of Purves, in further view of Kalgi, and in further view of Sahni.
Regarding claim 11, the combination of Chumbley, Ritchie, Purves, and Kalgi discloses the limitations of claim 10, as discussed above.  Chumbley does not expressly disclose the financial institution backend comprises a first provider API gateway.

However, Sahni discloses the financial institution backend comprises a first provider API gateway (The financial institution computing system includes various logic modules, including API manager logic which controls operations of the APIs provided by the financial institution computing system.  The APIs provide various services via an API gateway.  See at least col 4, lines 6-25.  See also FIG. 1, API Gateway 122 of Financial Institution Computing System 102.  See also col. 14, lines 34-50.  Client passcode is received via API gateway.  See at least col. 7, lines 37-56).
From the teaching of Sahni, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify Chumbly by the first provider backend including an API gateway, as taught by Sahni, in order to enhance security and reduce risk of fraudulent transactions (see Sahni at least at col. 1, lines 25-43).

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Chumbley in view of Ritchie, in further view of Purves, in further view of Kalgi, and in further view of Palmer.
Regarding claim 19, the combination of Chumbley, Ritchie, Purves, and Kalgi discloses the limitations of claim 10, as discussed above, and Chumbley further discloses verifying the enablement token (The digital wallet server computer then sends the token back to the token service provider for validation, and the token service validates the authorization request.  See at least [0069]-[0070].  The validation may also be performed by the digital wallet server computer.  See at least [0071].).  

While Chumbley discloses verifying the enablement token, Chumbley does not expressly disclose the API gateway receives a client secret from the merchant, and an API gateway validates the client secret before verifying the enablement token has not expired.

However, Palmer discloses the API gateway receives a client secret from the merchant (Content provider device 160 may send an authentication request to API gateway device 170 (M602). The authentication request M602 may include the credentials (e.g., client ID and/or client secret). API gateway device 170 may generate a timestamp (T1) upon receiving the authentication request M602 (Block 615).  See at least col. 12, lines 4-45.  See also col. 5, lines 44-63; and FIG. 6, steps 605-645 and steps M602-M606. ), and
the API gateway validates the client secret before validating the enablement token (The API Gateway may then obtain the access token that may be used for authentication and/or validation of the content provider device 160.  See at least col. 12, lines 4-45.  See also col. 5, lines 44-63; and FIG. 6, steps 605-645 and steps M602-M606.).
From the teaching of Palmer, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify Chumbly by the API gateway receiving a client secret from the second provider, as taught by Palmer, in order to enhance security and to reduce burden of entities interacting with a variety of infrastructure devices. (See Palmer at least at col. 1, line 55 to col. 2, line 30; see also Palmer at col. 1, lines 7-15.).

While Chumbley discloses verifying the enablement token, Chumbley does not expressly disclose verifying the enablement token has not expired.

However, Ritchie discloses verifying the enablement token has not expired (After confirming the token has not expired, the token transaction processing program can transmit an communication or indication to the token transaction processing program and/or merchant system that the token transaction has been authenticated, validated, or otherwise approved.  See at least [0108].).
From the teaching of Ritchie, it would have been obvious to one having ordinary skill in the art before the effective filing date to modify the token of Chumbly to have an expiration, as taught by Ritchie, and to modify the verifying of Chumbley to verify that the token has not expired, as taught by Ritchie, in order to improve security of retail transactions (see Ritchie at least at [0002]-[0003]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.  
US 2014/0344153 (“Raj”) discloses methods for implementing a mobile tokenization hub with a common tokenization capabilities module that may provide tokenization for various entities in various contexts.  
US 2017/0300897 (“Ferenczi”) discloses transmitting a virtual token to a payment service provider script integrated in a browser used by the consumer.
“Browsing Sessions” by Hamilton Ulmer, Blog of Metrics, dated December 22, 2010 https://blog.mozilla.org/metrics/2010/12/22/browsing-sessions/#:~:text=Before%20we%20begin%2C%20the%20unit,no%20more%20than%2030%20minutes. (hereinafter “Ulmer”) discloses a browser session is a continuous period of user activity in the browser. 
“HTTP Meaning & Definition,” by Abby Dykes, webopedia, accessed November 13, 2020 https://www.webopedia.com/TERM/H/HTTP.html#:~:text=HyperText%20Transfer%20Protocol%20(HTTP)%20is,the%20client%2Dserver%20computing%20model  (hereinafter “Dykes”) discloses HyperText Transfer Protocol (HTTP) is the underlying protocol used by the World Wide Web to define how messages are formatted and transmitted and what actions Web servers and browsers should take in response to various commands.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RAVEN E ZEER whose telephone number is (313)446-6606.  The examiner can normally be reached on Monday - Friday 8-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bennett M Sigmond can be reached on (303) 297-4411.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/R.E.Z./Examiner, Art Unit 3694  

/BENNETT M SIGMOND/Supervisory Patent Examiner, Art Unit 3694