DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
Status of Claims
Claims 1-21 have been examined.
Response to Arguments
Applicant's arguments filed on 04/18/2022 have been fully considered but they are not persuasive.
With respect to claim 1, Applicant is of the opinion that prior art fails to teach “after receiving the encrypted first session key and decrypting the first session key”. However, examiner respectfully disagrees. 
Tang discloses: wherein the first SPM is configured to: receive a first set of magnetic card data from the first card reader; encrypt the first set of magnetic card data using, at least in part, the first session key; and transmit the encrypted first set of magnetic card data to the POS server (See paragraph 0035, 0049, 0071 and 0074); Bruce discloses: use of encryption/decryption of the session key between two entities (See page 32-34, 185-187 and 574-577), the combination does not specifically teach that the first set of magnetic card data is received after receiving the encrypted first session key and decrypting the first session key. However, there are finite timing aspect of when the first set of magnetic card data is received in relation to the sharing of the key (including the encryption/decryption of the session key), e.g. before or after the encrypted first session key is received and decrypted as long as the session key is made available prior to its use. Therefore, the combination of the prior art teaches the limitation above.
The arguments with respect to claims 6 and 8 are moot in view of new ground of rejection.
With respect to U.S.C. 101 arguments, Applicant is of the opinion that amendments overcome the rejection. However, Examiner respectfully disagrees. Please see the rejection below.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 6-9 and 16-21 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. 
In the instance case, claims 6-9 and 16-21 are directed to a method. Therefore, these claims fall within the four statutory categories of invention.
The claims are directed to protecting payment data which is an abstract idea. Specifically, the claims recite generating and sharing the data and protecting card data grouping of abstract ideas in prong one of step 2A of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 54 (January 7, 2019)) because the claims involve a series of steps generating and sharing the data and protecting card data which is a process that deals with certain methods of organizing human activities such as commercial or legal interactions. Accordingly, the claims recite an abstract idea (See pages 7, 10, Alice Corporation Pty. Ltd. v. CLS Bank International, et al., US Supreme Court, No. 13-298, June 19, 2014; 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 53-54 (January 7, 2019)).
Additionally, the claims are directed toward cryptographic operations which is the abstract idea of a mathematical concept. See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, at 52 (Jan. 7, 2019). Therefore, the claim is directed to an abstract idea, as it has been held that a combination of abstract ideas, in this case organizing human activity and a mathematical concept, is still an abstract idea. See FairWarning IP, LLC v. Iatric Sys., Inc., 839 F.3d 1089, 1093-94 (Fed. Cir. 2016).
This judicial exception is not integrated into a practical application because, when analyzed under prong two of step 2A of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 54-55 (January 7, 2019)), the additional elements of the claims such as, POS and SPM merely use a computer as a tool to perform an abstract idea. Specifically, POS server, and SPM perform the steps of generating and sharing the data and protecting card data. The use of a processor/computer as a tool to implement the abstract idea does not integrate the abstract idea into a practical application because it requires no more than a computer performing functions that correspond to acts required to carry out the abstract idea. The additional elements do not involve improvements to the functioning of a computer, or to any other technology or technical field (MPEP 2106.05(a)), the claims do not apply or use the abstract idea to effect a particular treatment or prophylaxis for a disease or medical condition (Vanda Memo), the claims do not apply the abstract idea with, or by use of, a particular machine (MPEP 2106.05(b)), the claims do not effect a transformation or reduction of a particular article to a different state or thing (MPEP 2106.05(c)), and the claims do not apply or use the abstract idea in some other meaningful way beyond generally linking the use of the abstract idea to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception (MPEP 2106.05(e) and Vanda Memo). Therefore, the claims do not, for example, purport to improve the functioning of a computer. Nor do they effect an improvement in any other technology or technical field. Accordingly, the additional elements do not impose any meaningful limits on practicing the abstract idea, and the claims are directed to an abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when analyzed under step 2B of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 56 (January 7, 2019)), the additional elements of POS server and SPM, to perform the steps amounts to no more than using a computer or processor to automate and/or implement the abstract idea of access control. As discussed above, taking the claim elements separately, POS server and SPM perform the steps of generating and sharing the data and protecting card data. These functions correspond to the actions required to perform the abstract idea. Viewed as a whole, the combination of elements recited in the claims merely recite the concept of protecting payment data. Therefore, the use of these additional elements does no more than employ the computer as a tool to automate and/or implement the abstract idea. The use of a computer or processor to merely automate and/or implement the abstract idea cannot provide significantly more than the abstract idea itself (MPEP 2106.05(I)(A)(f) & (h)). Therefore, the claim is not patent eligible. 
Dependent claims further describe the abstract idea of protecting payment data. The dependent claims do not include additional elements that integrate the abstract idea into a practical application or that provide significantly more than the abstract idea. Therefore, the dependent claims are also not patent eligible.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-3, 12 and 14-15 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Tang (US 20050147250) in view of “Applied Cryptography" by Bruce Schneier (hereafter ‘Bruce’) (Reference U).
With respect to claims 1, 12, 14, 15 Tang discloses: 
a first secure payment module (SPM) in a first fuel dispenser coupled to a first card reader, the first SPM storing a first public key certificate issued by a trusted certificate authority to uniquely identify the first SPM, and a first private key associated with the first public key certificate; (See Fig 5, paragraph 0053, 0067, 0071 and 0073);
a point-of-sale (POS) environment, the POS environment comprising a first POS server communicably coupled to the first SPMs, the first POS server storing a third public key certificate issued by the trusted certificate authority, wherein the POS server is configured to (See Fig 5 part 520, paragraph 0053, 0067, 0071 and 0073); 
dynamically generate a first session key (i.e. symmetric key) for communication with the first SPM (See paragraph 0067, 0071 and 0073-0074);
wherein the first SPM is configured to: receive a first set of magnetic card data from the first card reader; encrypt the first set of magnetic card data using, at least in part, the first session key; and transmit the encrypted first set of magnetic card data to the POS server (See paragraph 0035, 0049, 0071 and 0074);.
Tang does not explicitly disclose: encrypt the first session key using, at least in part a first public key included in the first public key certificate; transmit the encrypted first session key to the first SPM; receive the encrypted first session key from the POS server; decrypt the first session key using, at least in part, the first private key.
Bruce discloses: encrypt the first session key using, at least in part a first public key included in the first public key certificate; transmit the encrypted first session key to the first SPM; receive the encrypted first session key from the POS server; decrypt the first session key using, at least in part, the first private key (See page 32-34, 185-187 and 574-577). Therefore, it would have been obvious to one of the ordinary skill in the art at the time invention was made to modify the Tang reference with the Bruce reference in order to provide extra security.
With respect to “after receiving the encrypted first session key and decrypting the first session key receiving a first set of magnetic card data from the first reader. Tang discloses: wherein the first SPM is configured to: receive a first set of magnetic card data from the first card reader; encrypt the first set of magnetic card data using, at least in part, the first session key; and transmit the encrypted first set of magnetic card data to the POS server (See paragraph 0035, 0049, 0071 and 0074); Bruce discloses: use of encryption/decryption of the session key between two entities (See page 32-34, 185-187 and 574-577), the combination does not specifically teach that the first set of magnetic card data is received after receiving the encrypted first session key and decrypting the first session key. However, there are finite timing aspect of when the first set of magnetic card data is received in relation to the sharing of the key (including the encryption/decryption of the session key), e.g. before or after the encrypted first session key is received and decrypted as long as the session key is made available prior to its use. Therefore, the combination of the prior art teaches the limitation above.
Further, Applicant's own disclosure in paragraph 0042 describe “Standard methods of retrieving public key certificates may be implemented such that the POS server 170 receives a copy of the certificate 135…” the retrieving public key certificates is standard.
With respect to “second SPM in second fuel dispenser….; dynamically generating second session key….; encrypting second session key…; transmit the encrypted second session key…; wherein the second SPM is configured to: … ” these limitations differed from prior art only in requiring the addition of SPM, public certificates, session key and sensitive data to be duplicated. Therefore, it has been held mere duplication of parts has no patentable significance unless new and unexpected result is produce. (In re Harza, 124 USPQ 378 (CCPA 1960)). Applicant specification identifies the second SPM as associated with additional retail environments such as different fueling dispensers (i.e. different gas pumps)(See paragraph 0014)

With respect to claim 2, Tang in view of Bruce discloses all the limitations as described above. Tang further discloses: receive the encrypted first set of magnetic card data from the first SPM; decrypt the first set of magnetic card data using, at least in part, the first session key; (See paragraph 0074). 

With respect to claim 3, Tang in view of Bruce discloses all the limitations as described above. Tang further discloses: send the decrypted first set of magnetic card data to the first authorization network communicably coupled to the POS server, wherein the first authorization network is configured to authorize the first set of magnetic card data (See Fig 6 part 625).

Claims 4-5 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Tang (US 20050147250) in view of “Applied Cryptography" by Bruce Schneier (hereafter ‘Bruce’) (Reference U) in further view of Kobozev (US 7500100).
With respect to claim 4, Tang in view of Bruce discloses all the limitations as described above. Bruce further discloses: the data from the certificates is digital signature unique to the trusted certificate authority (See page 574 Fig 24.2). Tang in view of Bruce does not explicitly disclose: retrieving data from the first public key certificate and retrieve data from the second public key certificate and comparing the data in the first certificate and data from the second certificate. Kobozev discloses: retrieving data from the first public key certificate and retrieve data from the second public key certificate and comparing the data in the first certificate and data from the second certificate (See Abstract, and column 7 lines 14-67-column 8 lines 1-8). Therefore, it would have been obvious to one of the ordinary skill in the art at the time invention was made to modify the combination of Tang, and Bruce references with the Kobozev reference in order to verify the identity and validity of the clients. 

With respect to claim 5 Tang in view of Bruce and in further view of Kobozev discloses all the limitations as described above. With respect to “authenticating second SPM….; third digital signature from second public key certificate…” these limitations differed from prior art only in requiring the addition of second SPM authentication, to be duplicated. Therefore, it has been held mere duplication of parts has no patentable significance unless new and unexpected result is produce. (In re Harza, 124 USPQ 378 (CCPA 1960)).

Claims 6-7, 10, 13 and 16-18 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Tang (US 20050147250) in view of “Applied Cryptography" by Bruce Schneier (hereafter ‘Bruce’) (Reference U) in further view of Parkinson (US 20080022122).
With respect to claims 6-7, 10, 13, 16-17 Tang discloses: 
a point-of-sale (POS) server dynamically generate a first session key for communication with a first secure payment module (SPM) in a fuel dispenser couple to a card reader  (See Fig 5 part 520, paragraph 0053, 0067, 0071 and 0073);
receiving from the SPM a first set of magnetic card data encrypted by the SPM using at least in part the first session key and decrypting the first set of magnetic card using at least in part the first session key (See paragraph 0074)
Tang does not explicitly disclose: encrypt the first session key using, at least in part a first public key included in the first public key certificate; transmit the encrypted first session key to the first SPM; generating the first session key comprising the POS server using system entropy. 
Bruce discloses: encrypt the first session key using, at least in part a first public key included in the first public key certificate; transmit the encrypted first session key to the first SPM; (See page 32-34, 185-187 and 574-577). Therefore, it would have been obvious to one of the ordinary skills in the art at the time invention was made to modify the Tang reference with the Bruce reference in order to provide extra security.
Tang in view of Bruce does not explicitly disclose: POS server generate key by using system entropy. Parkinson discloses: server generate key by using system entropy (See paragraph 0008, 0017, 0042). Therefore, it would have been obvious to one of the ordinary skills in the art at the time invention was made to modify the combination of Tang and Bruce references in order to provide a strong PRNG for generating keys (See Parkinson paragraph 0009).
Further, Applicant's own disclosure in paragraph 0042 describe “Standard methods of retrieving public key certificates may be implemented such that the POS server 170 receives a copy of the certificate 135…” the retrieving public key certificates is standard.
With respect to claims 7 and 17, Tang in view of Bruce and in further view of Parkinson discloses all the limitations. With respect to “dynamically generating second session key….; encrypting second session key…; transmit the encrypted second session key…; receiving a second set of magnetic card data…; and decrypting the second set of magnetic card data…” these limitations differed from prior art only in requiring the addition of session key and card data to be duplicated. Therefore, it has been held mere duplication of parts has no patentable significance unless new and unexpected result is produce. (In re Harza, 124 USPQ 378 (CCPA 1960)).

With respect to claim 18, Tang in view of Bruce and in further view of Parkinson discloses all the limitations. With respect to “wherein the SPM stores a first public key certificate issued by a trusted certificate authority to uniquely identify the SPM, and a first private key associated with the first public key certificate” this limitation does not have patentable weight because this is considered outside the scope of the claim. In other words, the claim 6 is directed to a method performed by a POS server, and action performed by the SPM is outside the scope of the claim. 

Claims 8-9, 11 and 21 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Tang (US 20050147250) in view of “Applied Cryptography" by Bruce Schneier (hereafter ‘Bruce’) (Reference U) in further view of Mariana (US 7047558).
With respect to claim 8 and 11 Tang discloses: 
a secure payment module (SPM) in a fuel dispenser; (See Fig 5, paragraph 0053, 0067, 0071 and 0073);
receive a first set of magnetic card data from the first card reader; encrypt the first set of magnetic card data using, at least in part, the first session key; and transmit the encrypted first set of magnetic card data to the POS server (See paragraph 0035, 0049, 0071 and 0074);
Tang does not explicitly disclose: receive the encrypted first session key from the POS server; decrypt the first session key using, at least in part, the first private key; SPM and the card reader being physically secured in a tamper-resistant enclosure.
Bruce discloses: receive the encrypted first session key from the POS server; decrypt the first session key using, at least in part, the first private key (See page 32-34, 185-187 and 574-577). Therefore, it would have been obvious to one of the ordinary skills in the art at the time invention was made to modify the Tang reference with the Bruce reference in order to provide extra security.
Tang in view of Bruce does not explicitly disclose: SPM and the card reader being physically secured in a tamper-resistant enclosure. Mariana discloses: SPM and the card reader being physically secured in a tamper-resistant enclosure (See Fig 3 column 8 lines 1-14). Therefore, it would have been obvious to one of the ordinary skills in the art at the time invention was made to modify the combination of Tang and Bruce references with Mariana reference in order to provide physical device security.
With respect to “the first session key encrypted by the POS server with a first public key associated with a first public key certificate uniquely identifying the SPM” this limitation does not have patentable weight because this is considered outside the scope of the claim. In other words the claim is directed to a method performed by a SPM, and action performed by the POS server is outside the scope of the claim. 
Further, Applicant's own disclosure in paragraph 0042 describe “Standard methods of retrieving public key certificates may be implemented such that the POS server 170 receives a copy of the certificate 135…” the retrieving public key certificates is standard.

With respect to claim 9, Tang in view of Bruce and in further view of Mariana discloses all the limitations. With respect to “receiving second session key….; decrypting second session key…; receiving a second set of magnetic card data…; and encrypting the second set of magnetic card data…; and transmitting the encrypted second set of…” these limitations differed from prior art only in requiring the addition of session key and card data to be duplicated. Therefore, it has been held mere duplication of parts has no patentable significance unless new and unexpected result is produce. (In re Harza, 124 USPQ 378 (CCPA 1960)).

With respect to claim 21, Tang in view of Bruce and in further view of Mariana discloses all the limitations. With respect to “after SPM receive the first session key and decrypting the first session key receive a first set of magnetic card data. Tang discloses: wherein the first SPM is configured to: receive a first set of magnetic card data from the first card reader; encrypt the first set of magnetic card data using, at least in part, the first session key; and transmit the encrypted first set of magnetic card data to the POS server (See paragraph 0035, 0049, 0071 and 0074); Bruce discloses: use of encryption/decryption of the session key between two entities (See page 32-34, 185-187 and 574-577), the combination does not specifically teach that the first set of magnetic card data is received after receiving the encrypted first session key and decrypting the first session key. However, there are finite timing aspect of when the first set of magnetic card data is received in relation to the sharing of the key (including the encryption/decryption of the session key), e.g. before or after the encrypted first session key is received and decrypted as long as the session key is made available prior to its use. Therefore, the combination of the prior art teaches the limitation above.

Claims 19-20 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Tang (US 20050147250) in view of “Applied Cryptography" by Bruce Schneier (hereafter ‘Bruce’) (Reference U) in further view of Mariana (US 7047558) and Parkinson (US 20080022122).
With respect to claims 19-20 Tang in view of Bruce and in further view of Mariana discloses all the limitations. Tang in view of Bruce and in further view of Mariana does not explicitly disclose: wherein the first session key is a pseudorandom key. Parkinson discloses: wherein the session key is a pseudorandom key ((See paragraph 0008, 0017, 0042). Therefore, it would have been obvious to one of the ordinary skills in the art at the time invention was made to modify the combination of Tang, Bruce and Mariana references in order to provide a strong PRNG for generating keys (See Parkinson paragraph 0009).
With respect to “second session key….; this limitation differed from prior art only in requiring the addition of session key to be duplicated. Therefore, it has been held mere duplication of parts has no patentable significance unless new and unexpected result is produce. (In re Harza, 124 USPQ 378 (CCPA 1960)).


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZESHAN QAYYUM whose telephone number is (571)270-3323. The examiner can normally be reached Monday-Friday 9:00AM-6:00PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John W Hayes can be reached on 5712726708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZESHAN QAYYUM/Primary Examiner, Art Unit 3685