DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to submission filed 06/28/2022. Claims 1, 8 and 15 are amended and claims 1-20 remain pending.

Response to Arguments
Applicant’s arguments, see Remarks: page 9, filed 6/28/2022, with respect to the rejection(s) of claim(s) 1-20 under 35 U.S.C. 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Flurscheim in view of Fourez.


Examiner’s Note
Claims 1, 8 and 15, first recite “a single-use token value”, then next recitations in 1-2, 5-6, 8-9, 12-13, 15-16 and 19-20 is recited as “the token value”.
For examination, it is clear that all recitations of “the token value” refer back to the recited “a single-use token value” in each of claims 1, 8 and 15.

Examiner’s Note on Subject Matter Eligibility (Software per se Analysis)
Per claim 1, as previously indicated, a “processor” for “receive[ing] a service request over a public network” requires a hardware implemented “network interface” with an associated network address accessible over the public network. As such, claims 1-7 are determined subject matter eligible.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/11/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claim(s) 1-2, 4-6, 8-9, 11-16, 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Flurscheim, US2017/0221054 in view of Fourez, US2017/0200155.

 Per claim 1, Flurscheim discloses an identity authority computing device comprising a processor programmed to: 
communicate with a public network and with a secure data processing domain, and prevent access from the public network to data stored in the secure data processing domain (A “transaction processing computer” may include a network of one or more devices that can process and route transaction request messages. An exemplary transaction processing computer may include data processing subsystems, networks, and operations used to support and deliver authorization services, exception file services, transaction scoring services, and clearing and settlement services. An exemplary transaction processing system may include VisaNet™. Transaction processing systems such as VisaNet™ are able to process credit card transactions, debit card transactions, and other types of commercial transactions. VisaNet™, in particular, may include a VIP system (Visa Integrated Payments system) which processes authorization requests and a Base II system which performs clearing and settlement services – Flurscheim: par. 0041); 
receive a service request over the public network the service request including a service provider identifiers and a single-use token value associated with one of the users (The application provider computer 40 may generate a unique transaction identifier (e.g., a UUID) corresponding to the transaction. At step S130A, the application provider computer 40 may transmit the token, transaction amount, transaction identifier, and/or other transaction data to a gateway computer 45 … At step S140A, the transport computer 50 may generate an authorization request message using the token data, the verification value, the transaction amount, and/or other transaction data, and route the authorization request message to the transaction processing computer 60. [0051] At step S145A, the transaction processing computer 60 may transmit the token and any other token-related data to the token server 30 – Flurscheim: par. 0049-0051 – Note: wherein application provider computer facilitates completion of the transaction between the user and the resource provider using the transaction data and the token – par. 0004. The token is single-use since it is per payment transaction request); 
in response to the service request, access an identity database within the secure data processing domain, wherein the identity database stores a plurality of persistent user identifiers associated with a plurality of users (At step S145A,…The token server 30 may identify the sensitive information associated with the token (e.g., through a mapping or look-up table, by applying an algorithm to the token, and/or through any other means)  – Flurscheim: par. 0051 – Note: A mapping between the token reference identifier and a token representing the sensitive information may be stored by the token server – par. 0047); 
retrieve, from the identity database, at least one persistent user identifier associated in the identity database with the token value (At step S150A, the token server 30 may return the sensitive information to the transaction processing computer 60 to process the transaction using the sensitive information – Flurscheim: par. 0051); 
generate an updated service request including the at least one persistent user identifier (The transaction processing computer 60 may modify the authorization request message to include the sensitive information (e.g., a PAN) instead of the token – Flurscheim: par. 0052); 
generate an encrypted service request by using a [public] encryption key associated with the service provider identifier to encrypt the updated service request (download manager 818 [included in an application 812] may request and obtain sensitive information or token via the application provider associated with the application 812, and stored the sensitive information or token in sensitive information data store 816. In some embodiments, the sensitive information or token provided by the application provider can be received in an encrypted form. For example, the sensitive information or token can be encrypted with a session key generated by a token server – Flurscheim: par. 0092); and 
Flurscheim is not relied on to disclose but Fourez discloses transmit[ting], within the secure data processing domain (i.e., secure pairing/session), the encrypted service request to a service provider computing device associated with the service provider identifier (The wallet application (or other application on sender device 204) creates a payment data package (i.e., payment instruction) containing data that authorizes the recipient to debit a payment account of the sender for the transaction amount. The payment package is encrypted using the unique public key of the receiver 202 which was received during the pairing process… In this embodiment, the sender 204 transmits or provides the encrypted payment package to a payments server, e.g., a P2P/P2M server 209, without having the payment package pass through the receiver 202… The P2P/P2M server 209 receives the encrypted payment data package and decrypts it with the private key that corresponds to the receiver's public key. The P2P/P2M server 209 then processes the transaction as a standard purchase transaction on a payment network 106 – Fourez: par. 0039-0040).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Flurscheim in view of Fourez to include transmit[ting], within the secure data processing domain, the encrypted service request to a service provider computing device associated with the service provider identifier.
One of ordinary skill in the art would have been motivated because it would allow “enabling secure and guaranteed person-to-person and person-to-merchant payments” – Fourez: par. 0005.

Per claim 8, it recites a computer-implemented method for secure transmission of user identifiers, said method implemented using an identity authority computing device including a processor, said method comprising the steps for performing the operations set forth in claim 1. 
Therefore, claim 8 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above.

Per claim 15, it recites a non-transitory computer readable storage media having computer-executable instructions embodied thereon, wherein when executed by an identity authority computing device having a processor, the computer-executable instructions cause the processor to perform the operations set forth in claim 1.
Therefore, claim 15 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claims 2, 9 and 16, Flurscheim in view of Fourez discloses features of Claims 1, 8 and 15, wherein the processor is further programmed to: 
receive a service response from the service provider computing device, the service response including response data and the at least one persistent user identifier (At step S160A, the authorizing entity computer 70 returns its authorization decision via an authorization response message to the transaction processing computer 60. The authorization response message may include the sensitive information – Flurscheim: par. 0053); 
filter the at least one persistent user identifier from the service response (the transaction processing computer 60 may replace the sensitive information with the token in the authorization response message – Flurscheim: par. 0053); and 
transmit the filtered service response and the token value to an interface computing device (At step S165A, the transaction processing computer 60 may route the modified authorization response message to the transport computer 50 – Flurscheim: par. 0053).

Per claims 4, 11 and 18, Flurscheim in view of Fourez discloses features of Claims 1, 8 and 15, wherein the service request is received from a user computing device in temporary local data communication with an interface computing device (In some embodiments, where an access device may comprise a POS terminal, any suitable POS terminal may be used and may include a reader, a processor, and a computer-readable medium. A reader may include any suitable contact or contactless mode of operation. For example, exemplary card readers can include radio frequency (RF) antennas, optical scanners, bar code readers, or magnetic stripe readers to interact with a payment device and/or mobile device. Other examples of access devices include devices (e.g., locks, gates, access control boxes, etc.) that control physical access to locations (e.g., venues, transit stations, homes, offices, buildings, etc.), as well as software devices that control access to data or information – Flurscheim: par. 0024).

Per claims 5, 12 and 19, Flurscheim in view of Fourez discloses features of Claims 1, 8 and 15, wherein the service request is received from an interface computing device in response to receipt by the interface computing device of the token value from a user computing device (In some embodiments, where an access device may comprise a POS terminal, any suitable POS terminal may be used and may include a reader, a processor, and a computer-readable medium. A reader may include any suitable contact or contactless mode of operation. For example, exemplary card readers can include radio frequency (RF) antennas, optical scanners, bar code readers, or magnetic stripe readers to interact with a payment device and/or mobile device. Other examples of access devices include devices (e.g., locks, gates, access control boxes, etc.) that control physical access to locations (e.g., venues, transit stations, homes, offices, buildings, etc.), as well as software devices that control access to data or information – Flurscheim: par. 0024 – Note: see Fig. 1A, communication device 10 and access device 20).

Per claims 6, 13 and 20, Flurscheim in view of Fourez discloses features of Claims 1, 8 and 15, wherein the token value is a one-time password generated by a user computing device based on a token secret generated by the identity authority computing device (a token may be used in place of a PAN to initiate, authorize, settle or resolve a payment transaction. The token may also be used to represent the original credential in other systems where the original credential would typically be provided. In some embodiments, a token value may be generated such that the recovery of the original PAN or other account identifier from the token value may not be computationally derived – Flurscheim: par. 0038 – Note: Primary Account Number (PAN) is a persistent id.

2.	Claim(s) 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Flurscheim, US2017/0221054 in view of Fourez, US20170200155 as applied to claims 2, 9 and 16  above, and further in view of Arya, US10984434.

Per claims 3, 10 and 17, Flurscheim in view of Fourez discloses features of Claims 2, 9 and 16.
Flurscheim and/or Fourez are not relied on to disclose but Arya discloses wherein the service response includes at least one of credit history data, personal background data, and vehicle insurance data (At 722, the provider computing system 104 aggregates the customer's financial information with financial information for other similar customers of the accounts provider. For example, the provider computing system 104 may remove any personal identifying information from the customer's financial information and aggregate the customer's financial information with other customers similar to the customer based on an analysis of the customer's demographic information (e.g., to identify other customers similar to the customer based on age, income level, stage in life, etc.) – Arya: col. 27, lines 9-35 – Note: customer’s financial information is equivalent to credit history report).

Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Flurscheim in view of Fourez further in view of Arya to include wherein the service response includes at least one of credit history data, personal background data, and vehicle insurance data.
One of ordinary skill in the art would have been motivated because it would allow preparing “a social benchmarking report for the customer based on the aggregated financial information” and preparing “one or more charts or graphs comparing the customer's spending and savings habits to spending and savings habits of the aggregated customers similar to the customer” – Arya: col. 27, lines 9-35).

3.	Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Flurscheim, US2017/0221054 in view of Fourez, US20170200155 as applied to claims 1, 8 and 15 above, and further in view of Steinberg, US2020/0211002A1.

Per claims 7 and 14, Flurscheim in view of Fourez discloses features of Claims 1 and 8.
Flurscheim and/or Fourez are not relied on to disclose but Steinberg discloses wherein the at least one persistent user identifier is at least one of a social security number and a driver's license number (When the user wishes to authorize use of an identifier (e.g., a credit card number, SSN or an account number) for a transaction, the user generates an Authorization Token through the steps shown in FIG. 4…whether the authorized use is for one-time only or multiple times during that period, a maximum number of transactions constraint which may limit the number of transactions which may be performed using the token – Steinberg: par. 0051).

Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Flurscheim in view of Fourez further in view of Steinberg to include wherein the service response includes at least one of credit history data, personal background data, and vehicle insurance data.
One of ordinary skill in the art would have been motivated because it would allow securing data or transactions by providing a limited authorization to use specified identifiers such as SSN or the like – Steinberg: par. 0002-0004.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Barkas (US11257085) discloses a card network computing system detokenizing a payment token in a transaction request, thereby resulting in the actual card number (i.e., the PAN). The card network computing system sends the transaction request and the PAN to the financial institution computing system. The financial institution computing system then processes the transaction request.
Mattsson (US2014/0177825) discloses tokenization of data as generation of tokenized data by querying one or more token tables mapping input values to tokens with the one or more portions of the data, and replacing the queried portions of the data with the resulting tokens from the token tables. Tokenization can be combined with encryption for increased security, for example by encrypting sensitive data using a mathematically reversible cryptographic function (e.g., datatype-preserving encryption or DTP), an asymmetric cryptographic function (e.g., public key cryptography).
Ang (US2012/0278897) discloses tokens included in results returned from the cloud, are intercepted by the intercepting proxy server, and replaced with the corresponding real data elements. In order for the sort order of the tokens to correspond to the sort order of the corresponding real data elements, a sort order preserving data compression is performed on parts of the real data elements, and the compressed values concatenated with the obfuscated tokens, thus producing sortable tokens which, even though they are obfuscated, appear in the correct sort order in the cloud application.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/            Examiner, Art Unit 2494