Acknowledgements
This communication is in response to applicant’s response filed on 06/15/2022.
Claims 1-2, 13, and 17 have been amended. Claims 5 and 18 have been cancelled.
Claims 1-4, 6-17, and 18-20 are pending and have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 06/15/2022 has been entered.
 
Response to Arguments
Regarding applicant’s arguments:
Regarding applicant’s argument under Claim Rejections - 35 USC § 103 that the combination of Gomes (US 20180082284) in view of Dahn (US 20200279242) in further of view of Kenney (US 20210174352) does not teach or suggest "in response to determining that both the first location and the second location are within a same area in which authentication is required…store at least two different card information data items and authentication information representing the authentication cryptogram and the authorized transaction identifier, wherein the at least two different card information data items include the user card information -2-Application No.: 17/398942Filing Date: August 10, 2021 and the virtual card information, and wherein the user card information and the authentication information are not sent to the third-party service," as recited in amended claim 1, and examiner respectfully argues that applicant’s argument is moot in light of the new grounds of rejection necessitated by the amendments to claim 1. Applicant’s makes a similar argument for claims 13 and 17, and examiner respectfully argues these arguments are moot for the same reasons listed above for claim 1.
Applicant argues dependent claims are patentable because of their dependency on independent claims 1, 13, and 17. Examiner respectfully argues applicant’s arguments are moot in light of the new grounds of rejection necessitated by the amendments to claims 1, 13, and 17. 

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 03/11/2022 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6-17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over McCarthy (US 20150161596) in view of Li (US 20150339661) in further view of Radu (US 2020) in further view of Williamson (US 20200051084) in further view of Patterson (US 20160232527).

Regarding Claims 1, 13, and 17, McCarthy teaches receive, from a user device: a booking request for a third-party service (Paragraph 0041 teaches the process begins with a customer booking a hotel room using the booking engine; the booking engine could be implemented at a website operated by the hotel or by a third party, and card information could be entered by the customer (e.g., using the website)); and user card information regarding a user card associated with a first account (Paragraph 0041 teaches the customer's card number is passed to the booking engine; the card number is provided by the booking engine to the hotel's integrated point-of-sale (POS) system); obtain virtual card information comprising a card number from a virtual card transaction processing system (Paragraph 0042 teaches the integrated POS system calls out to the tokenization service (and provides the customer's card number to the tokenization service) in order to obtain a token representing the card number (PAN); the tokenization system tokenizes the PAN (generates a token) and stores the token (in association with the PAN) for future reference); send, to the third-party service, the virtual card information and booking information regarding the booking request (Paragraphs 0041-0042 teach booking details are provided by the booking engine to the hotel's integrated point-of-sale (POS) system; the tokenization service also passes the token to the hotel; it is assumed that the customer checks into the hotel, with the hotel integrated POS system recognizing that the customer has previously provided card information and that further card information is not needed from the customer); receive, from the user card transaction processing system, an authorized transaction identifier (Paragraph 0037 teaches the transaction processing system may store transaction identifiers; each response message (with a PAN in the PAN field) from the issuer system may be evaluated to determine if the transaction is one for which a token was provided to the transaction processing system by the merchant system); and store at least two different card information data items and authentication information representing the authorized transaction identifier, wherein the at least two different card information data items include the user card information -2-and the virtual card information, and wherein the user card information and the authentication information are not sent to the third-party service (Paragraphs 0021 and 0037 teach the tokenization service generates tokens corresponding to payment card numbers and maintains one or more databases that store encrypted payment card numbers, along with the corresponding token generated for each payment card number (PAN), so that tokens and corresponding payment card numbers are linked; the generated token numbers are provided to a merchant when a payment card number is requested by the merchant; the transaction processing system could retain and store the token in association with the transaction identifier; the network is intended to eliminate the need for a merchant to store and use a PAN; authorization messages (both requests and responses) include, within their respective data fields, a transaction identifier or reference number which enables the merchant system to match-up a response message to the original authorization request message for the same transaction).
However, McCarthy does not explicitly teach obtain virtual card information comprising a card number and an expiration date from a virtual card transaction processing system, wherein the virtual card is associated with an account having a zero balance. 
Li from same or similar field of endeavor teaches obtain virtual card information comprising a card number and an expiration date from a virtual card transaction processing system, wherein the virtual card is associated with an account having a zero balance (Paragraph 0057 teaches the card management server stores information associated with the request including the virtual card value; the balance of the virtual card is set to zero, and an expiration date is set to a date that is a user configured number of days (e.g., 365) into the future (e.g., relative to the current time); the card management server has successfully stored the information associated with the new virtual card).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in McCarthy, which teaches making a booking request and supplying a virtual card number to the third-party service, to incorporate the teachings of Li to obtain virtual card information comprising a card number and an expiration date from a virtual card transaction processing system, wherein the virtual card is associated with an account having a zero balance.
There is motivation to combine Li into McCarthy because it is desirable to allow users of an online payment platform to use funds associated with their respective online payment platform accounts to pay a merchant whose systems have not been integrated with those of the online payment platform but have been traditionally integrated with those of one or more card management services (Li Paragraph 0022). The user who had selected to pay for the transaction using his or her online payment platform may not know of the virtual card value generated for the transaction and/or the involvement of the card management server (Li Paragraph 0071).
However, the combination of McCarthy and Li does not explicitly teach determine a first location of a first transaction processing system associated with the user card; determine a second location of a second transaction processing system associated with the system; determine that both the first location and the second location are within an area in which authentication is required; in response to determining that both the first location and the second location are within a same area in which authentication is required: initiate a first transaction with the user card transaction processing system based at least partly on the user card information, wherein the first transaction verifies the user card information without initiating a transfer of payment; cause initiation, by the user card transaction processing system, of at least one security measure in connection with the first transaction; and receive, from the user card transaction processing system, an authentication cryptogram, wherein the authentication cryptogram represents satisfaction of the security measure for the first transaction.
Radu from same or similar field of endeavor teaches determine a first location of a first transaction processing system associated with the user card (Paragraphs 0122-0123 and 0126-0130 teach FIG. 12 relates to the Regulations Inquiry Service; this Service acts to determine the need for Cardholder Authentication step-up at Card Add in SRC; the RIS wants to determine whether Cardholder Authentication step-up at Card Add in SRC is needed, or not, for a given Issuer Country Code; this enables SRC to comply with market and/or regional requirements (e.g., PSD2 in the EU) concerning the enrollment of one of the Consumer's cards in his Consumer Profile; an Issuer Country Code is listed in the “Cardholder Authentication Required at Card Add Countries” white list; the “Cardholder Authentication Required at Card Add Countries” is a list enumerating the ISO 3166-1 numeric Country Codes of those countries where the local financial regulations impose as mandatory Cardholder Authentication step-up at Card Add; the local financial regulations can be determined by national financial organizations (like UK Cards in UK, or Bancontact in Belgium) or by regional institutions (like the European Union Commission, imposing the PDS2 norm to the member countries)); determine a second location of a second transaction processing system associated with the system (Paragraphs 0051, 0094, and 0099-0101 teach to support tokenization, a token service provider is present (the token service provider may be provided by a third party with appropriate trust relationships), and the transaction scheme infrastructure provides a digital enablement service to support the performance of tokenized digital transactions, and to interact with other elements of the system to allow transactions to be performed correctly (i.e., the token service provider may be a separate transaction processing system); next, a determination is whether the card is available for tokenization; the transaction scheme provider may have defined the ranges of cards that are available for digitization; when Mastercard® Digital Enablement Service (MDES) receives a digitization request concerning a specific PAN, it call this MPS system to get whether the PAN is in a range that is marked by the issuer as one that is made available for digitization; the process of token creation is described above with respect to FIG. 18; the process then proceeds to cardholder assurance and the payment transaction as shown in FIG. 8; this user authentication, in the form of Cardholder Assurance Data, takes place next and is used both for completing the enrollment process and for the transaction; the SRC process provides payment credentials to SRCi, which then may initiate 3DS2 for cardholder assurance or if this is not an available option, may submit an authorization request to the transaction system.; if the authentication is found to be successful then the token is set in the Consumer Profile, an SRC Payload using the token is computed to provide a result for use for the UCAF field described elsewhere in this specification, and this is inserted into an authorization by the SRCi service at the appropriate time; if issuer requirements for tokenization (FIG. 11) are met, a decision is needed as to whether step-up is needed for tokenization (typically determined by issuer country requirements); tokenization then takes place with or without (FIG. 12) step-up as previously determined with a determination of whether additional authentication is needed if step-up has been used); determine that both the first location and the second location are within an area in which authentication is required (Paragraphs 0083-0085 teach the issuer determines whether tokenization is allowed for the identified card; if it is, the enrollment process is ready to be completed, but requires user authentication; this user authentication, in the form of Cardholder Assurance Data, takes place next and is used both for completing the enrollment process and for the transaction; it will normally take place through a 3-D Secure process flow (3DS2 in the arrangement shown here); the SRC enrollment and payment process continues and if successful maps the token to the digital card in the vault and sets the digital card to be usable, thereby completing the enrollment, and creates an authenticated Accountholder Authentication Value (AAV), which is the present applicant's approach to generating the UCAF (Universal Cardholder Authentication Field) used in the 3-D Secure process for the transaction; use of 3D Secure to provide an AAV in this way is shown in FIG. 6; the first step is to determine where the issuer has an Access Control Server (ACS) configured to make an assessment for the relevant account; if yes, then this issuer ACS follows the following process; there may be an initial Risk Based Authentication (RBA) process carried out on behalf of the issuer; it will then be determined whether it is necessary for an issuer decision to be made for cardholder authentication; if so, then the cardholder authentication follows; if this is passed, then a fully authenticated AAV is again created); in response to determining that both the first location and the second location are within a same area in which authentication is required: initiate a first transaction with the user card transaction processing system based at least partly on the user card information, wherein the first transaction verifies the user card information without initiating a transfer of payment (Paragraph 0083 teaches after this, Card Tokenization takes place; this involves the issuer (or a proxy for the issuer) determining whether tokenization is allowed for the identified card; if it is, then a token is bound with the digital card; the enrollment process is thus not complete at this point. The enrollment process is ready to be completed, but requires user authentication); cause initiation, by the user card transaction processing system, of at least one security measure in connection with the first transaction (Paragraph 0084 teaches user authentication, in the form of Cardholder Assurance Data, takes place next and is used both for completing the enrollment process and for the transaction; it will normally take place through a 3-D Secure process flow (3DS2 in the arrangement shown here)); receive, from the user card transaction processing system, an authentication cryptogram, wherein the authentication cryptogram represents satisfaction of the security measure for the first transaction (Paragraph 0084 teaches the SRC enrollment and payment process continues and if successful maps the token to the digital card in the vault and sets the digital card to be usable, thereby completing the enrollment, and creates an authenticated Accountholder Authentication Value (AAV) (i.e., cryptogram), which is the present applicant's approach to generating the UCAF (Universal Cardholder Authentication Field) used in the 3-D Secure process for the transaction).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy and Li, which teaches making a booking request and supplying a virtual card number, wherein the virtual card number maintains a zero-balance, to the third-party service, to incorporate the teachings of Radu to determine a first location of a user card transaction processing system associated with the user card; determine a second location of a transaction processing system associated with the system; determine, based at least partly on the user card information, that both the first location and the second location are within an area in which authentication of the user card is required; in response to determining that both the first location and the second location are within a same area in which authentication is required: initiate a first transaction with the user card transaction processing system based at least partly on the user card information, wherein the first transaction verifies the user card information without initiating a transfer of payment; cause initiation, by the user card transaction processing system, of at least one security measure in connection with the first transaction; and receive, from the user card transaction processing system, an authentication cryptogram, wherein the authentication cryptogram represents satisfaction of the security measure for the first transaction.
There is motivation to combine Radu into the combination of McCarthy and Li because online commerce currently lacks consistency between different payment schemes and requires a relatively high level of user activity to support online payments. It would be desirable to provide greater uniformity, and to reduce the number of situations in which a user is required to provide user credentials (for authorization or otherwise) to reduce the risk that such data could be compromised. It would be desirable for effective security and an improved user experience to enable such a process to provide an effective and secure interaction with all necessary systems as simply as possible. This aspect may be effectively used where the 3D Secure mechanism (for example, where 3DS2 has been adopted) is such that the cardholder approval using the mechanism provides a sufficient assurance that the token was created in the name of the legitimate cardholder for a genuine card. This achieves a solution which operates seamlessly for the cardholder by providing a “backward trust transfer” from the payment process to the enrollment process (Radu Paragraphs 0010-0011 and 0018).
However, the combination of McCarthy, Li and Radu does not explicitly teach store at least two different card information data items and authentication information representing the authentication cryptogram and the authorized transaction identifier, wherein the at least two different card information data items include the user card information -2-Application No.: 17/398942Filing Date: August 10, 2021 and the virtual card information.
Williamson from same or similar field of endeavor teaches store at least two different card information data items and authentication information representing the authentication cryptogram and the authorized transaction identifier, wherein the at least two different card information data items include the user card information -2-Application No.: 17/398942Filing Date: August 10, 2021 and the virtual card information (Paragraph 0063 teaches the token requestor stores the token with the consumer's account at the online merchant; the token provider stores the token, the PAN associated with the token, and the authentication data (i.e., AAV) in a “Token Vault” (i.e., a database repository) for use by subsequent payment transaction authorizations).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, and Radu, which teaches making a booking request and supplying a virtual card number, wherein the virtual card number maintains a zero-balance, to the third-party service after authenticating user card information, to incorporate the teachings of Williamson to store at least two different card information data items and authentication information representing the authentication cryptogram and the authorized transaction identifier, wherein the at least two different card information data items include the user card information -2-Application No.: 17/398942Filing Date: August 10, 2021 and the virtual card information.
There is motivation to combine Williamson into McCarthy and Li because as part of tokenization, it is desirable that Identification and Verification occur to ensure that the person requesting the token is the authorized user of the card. To do so, it is desirable to have the ability to capture the right data and flag the right message types when the token is issued. The data may be provided from the token requestor via an API or through existing interfaces such as 3-D Secure (3DS). Further, it is desirable to track and communicate, at each subsequent transaction, the identity and verification process that occurred when the token was provisioned. It is also desirable to communicate, in the authorization message, additional data about the transaction and the token to help mitigate risk (Williamson Paragraph 0016).
However, the combination of McCarthy, Li, Radu, and Williamson does not explicitly teach the virtual card information comprises a security code; receive, from the third-party service, a request to charge a cancellation penalty and a penalty amount to be charged; initiate a second transaction with the user card transaction processing system using the user card information and the authentication information, wherein the second transaction comprises transfer of the penalty amount into an account associated with the system; initiate a third transaction with the virtual card transaction processing system using the virtual card information, wherein the third transaction comprises transfer of the penalty amount from the account associated with the system into the account associated with the virtual card; and transmit, to the third-party service, a notification regarding the cancellation penalty.
Patterson from same or similar field of endeavor teaches the virtual card information comprises a security code (Paragraphs 0021 and 0035 teach “tokenization” is a process by which data is replaced with substitute data; for example, a payment account identifier may be tokenized by replacing the primary account identifier with a substitute number (e.g. a token) that may be associated with the payment account identifier; tokenization may be applied to any other information that may be replaced with a substitute value (i.e., security code); an authorization request message may also comprise additional data elements such as a CVV (card verification value), a dCW (dynamic card verification value), a payment token, a user name, an expiration date, etc.); receive, from the third-party service, a request to charge a cancellation penalty and a penalty amount to be charged (Paragraphs 0103-0104 teach transactions may involve no show charges; for example, when a consumer completes a reservation with a hotel, the hotel may generate an authorization request to validate the consumer account; if the consumer does not cancel the reservation prior to the “Terms and Conditions” provided by the merchant, it may be valid for the merchant to submit a transaction to charge the consumer); initiate a second transaction with the user card transaction processing system using the user card information and the authentication information, wherein the second transaction comprises transfer of the penalty amount into an account associated with the system (Paragraphs 0105 and 0064 teach merchants may be enabled to initiate a device not present no show transaction without requiring storage of cryptography; one or more of the authorization or clearing message may identify the transaction as one that involves a no show event, as well as reference the original authorization; in a second subsequent transaction (i.e., no show charge) that is linked to the first transaction (i.e., original authorization), the server computer receives a second authorization request message comprising the token from the resource provider computer for a transaction conducted in a second domain; the second authorization request message includes one or more of an amount, the token, a related transaction indicator for the first transaction, reference data for the first transaction, and other information); initiate a third transaction with the virtual card transaction processing system using the virtual card information, wherein the third transaction comprises transfer of the penalty amount from the account associated with the system into the account associated with the virtual card (Paragraphs 0066, 0093-0094, and 0096 teach initiating authorizing the transaction may include performing authorization processing on the second transaction or it may include forwarding the second authorization request message to an authorizing computer to allow the authorizing computer to perform authorization processing; after the token issuer obtains the real account number, the token issuer sends the real account identifier to the processing network computer which may forward it to the authorizing computer; the authorizing computer may determine if there are or are not sufficient funds and/or credit in the account associated with the real account identifier; once the authorizing computer has made an authorization decision, the authorizing computer may then send a second authorization response message back to the processing network computer; after the processing network computer receives the token from the token issuer, the processing network computer may modify the authorization response message received from the authorizing computer to replace the real account identifier with the token); and transmit, to the third-party service, a notification regarding the cancellation penalty (Paragraphs 0066 and 0097 teach the second authorization response message may be sent back to the resource provider computer from the server computer).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, Radu, and Williamson, which teaches making a booking request and supplying a virtual card number after authenticating user card information, wherein the virtual card number maintains a zero-balance, to the third-party service, to incorporate the teachings of Patterson for the virtual card information to comprise a security code; and to receive, from the third-party service, a request to charge a cancellation penalty and a penalty amount to be charged; initiate a second transaction with the user card transaction processing system using the user card information and the authentication information, wherein the second transaction comprises transfer of the penalty amount into a third account associated with the system; initiate a third transaction with the virtual card transaction processing system using the virtual card information, wherein the third transaction comprises transfer of the penalty amount from the third account associated with the system into the second account associated with the virtual card; and transmit, to the third-party service, a notification regarding the cancellation penalty.
There is motivation to combine Patterson into McCarthy, Li, Radu, and Williamson because hotel and car rental agencies have a variety of use cases that present challenges when tokens are involved. For example, some use cases include transactions involving incremental authorizations, no show charges, and ancillary charges. In each case, the merchant may properly disclose to the consumer that the consumer will be responsible for any charges associated with either the reservation or stay in accordance with the terms and conditions provided. However, domain restrictions on tokens can cause legitimate transactions from being processed (Patterson Paragraph 0100). The base invention is improved because embodiments of the invention can permit subsequent transactions that are related to prior transactions to be conducted with the same token, even though the token may be domain restricted. This is more efficient, than for example, issuing a separate token and cryptogram for each and every transaction submission in every conceivable domain. As such, embodiments of the invention are simpler and more complex than other potential processing protocols (Patterson Paragraph 0126).
Regarding Claim 1, McCarthy teaches a system comprising one or more computer processors programmed by executable instructions (Paragraphs 0046 and 0049 teach a computer system may provide the functions of the transaction processing system, as well as other components and functions of the invention described herein; software stored on and/or executed by the computer system can be used in implementing the processes seen in FIGS. 2, 4A and 4B; a tokenization service/system is connected to the transaction processing system).
Regarding Claim 13, McCarthy teaches a computer-implemented method comprising: under control of a computing system comprising one or more computing devices configured to execute specific instructions (Paragraphs 0046 and 0049 teach a computer system may provide the functions of the transaction processing system, as well as other components and functions of the invention described herein; software stored on and/or executed by the computer system can be used in implementing the processes seen in FIGS. 2, 4A and 4B; a tokenization service/system is connected to the transaction processing system).
Regarding Claim 17, McCarthy teaches a system comprising: an authentication information data store; and one or more computing devices in communication with the authentication information data store (Paragraph 0040 teaches FIG. 4A shows the parties involved as a “Booking Engine,” a “Tokenization Service,” a “Message Evaluation Application,” and a “Transaction Processing System;” the Booking Engine is a system to which a cardholder provides a card number in order to guarantee a reservation and to also have a card account against which the cost of the hotel room is charged when the cardholder checks out; the Message Evaluation Application is a software module that performs steps similar to the steps 230-236 described above in conjunction with FIG. 2, and can be resident at the transaction processing system, in a separate system associated with the transaction processing system, or in another system or switch placed in the flow of messages between the merchant and the issuer system).

Regarding Claim 2, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 1 above; and Li teaches in claim 1 wherein the one or more computer processors are further programmed by the executable instructions to at least: maintain the virtual card for at most one year; and deactivate the virtual card (Paragraph 0057 teaches the card management server stores information associated with the request including the virtual card value and the transaction amount corresponding to a new virtual card; for example an expiration date is set to a date that is a user configured number of days (e.g., 365) into the future (e.g., relative to the current time).

Regarding Claim 3, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 1 above; and McCarthy further teaches wherein the booking request is submitted through a web-based user interface (Paragraph 0041 teaches the process begins with a customer booking a hotel room using the booking engine; the booking engine could be implemented at a website operated by the hotel or by a third party).

Regarding Claim 4, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 1 above; however, the combination does not explicitly teach wherein the user card information comprises a card number, an expiration date, and a security code.
Patterson further teaches wherein the user card information comprises a card number, an expiration date, and a security code (Paragraph 0017 teaches account information may include a PAN, user name, expiration date, and verification values such as CVV).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, Radu, Williamson, and Patterson to incorporate the further teachings of Patterson for the user card information to comprise a card number, an expiration date, and a security code.
There is motivation to further combine Patterson into the combination of McCarthy, Li, Radu, Williamson, and Patterson because of the same reasons listed above for claim 1.

Regarding Claim 6, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 1 above; however, the combination does not explicitly teach wherein the at least one security measure relates to user-specific knowledge, user-owned devices, or user biometric data.
Williamson further teaches wherein the at least one security measure relates to user-specific knowledge, user-owned devices, or user biometric data (Paragraph 0062 teaches the authentication request may include a request for biometric data, an answer to a security question, a temporary password, a one-time code, or other data to confirm that consumer is cardholder associated with cardholder account).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, Radu, Williamson, and Patterson to incorporate the further teachings of Williamson for the at least one security measure to relate to user-specific knowledge, user-owned devices, or user biometric data.
There is motivation to further combine Williamson into the combination of McCarthy, Li, Radu, Williamson, and Patterson because of the same reasons listed above for claim 1.

Regarding Claim 7, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 1 above; however, the combination does not explicitly teach wherein the at least one security measure is conducted directly between the user device and user card transaction processing system.
Williamson further teaches wherein the at least one security measure is conducted directly between the user device and user card transaction processing system (Paragraph 0062 teaches the consumer receives an authentication request from the issuer; this authentication request uses a preexisting method of communication that was previously set-up between cardholder associated with cardholder account and issuer).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, Radu, Williamson, and Patterson to incorporate the further teachings of Williamson for the at least one security measure to be conducted directly between the user device and user card transaction processing system.
There is motivation to further combine Williamson into the combination of McCarthy, Li, Radu, Williamson, and Patterson because of the same reasons listed above for claim 1.

Regarding Claim 8, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 7 above; however, the combination does not explicitly teach wherein the at least one security measure is initiated through a pop-out window on the user device, redirecting the user device to an online interface associated with the user card transaction processing system, or an embedded window which can be accessed without redirecting the user device and which connects to the online interface associated with the user card transaction processing system.
Williamson further teaches 	 wherein the at least one security measure is initiated through a pop-out window on the user device, redirecting the user device to an online interface associated with the user card transaction processing system, or an embedded window which can be accessed without redirecting the user device and which connects to the online interface associated with the user card transaction processing system (Paragraph 0062 teaches the consumer receives an authentication request from issuer; this authentication request uses a preexisting method of communication that was previously set-up between cardholder associated with cardholder account and issuer; the authentication request may be an email or a text message (SMS message) transmitted to the consumer with a link to click on to continue registration)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, Radu, Williamson, and Patterson to incorporate the further teachings of Williamson for the at least one security measure to be initiated through a pop-out window on the user device, redirecting the user device to an online interface associated with the user card transaction processing system, or an embedded window which can be accessed without redirecting the user device and which connects to the online interface associated with the user card transaction processing system.
There is motivation to further combine Williamson into the combination of McCarthy, Li, Radu, Williamson, and Patterson because of the same reasons listed above for claim 1.

Regarding Claim 9, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 1 above; however, the combination does not explicitly teach wherein the authentication cryptogram is an encrypted alphanumeric string issued by the user card transaction processing system, wherein the encrypted alphanumeric string is a combination of data related to the first transaction and data related to the user card.
Patterson further teaches wherein the authentication cryptogram is an encrypted alphanumeric string issued by the user card transaction processing system, wherein the encrypted alphanumeric string is a combination of data related to the first transaction and data related to the user card (Paragraphs 0059 and 0076 teach the cryptogram may have been generated using an encryption key that resides on the communication device; the encryption key may be used to encrypt data from the resource provider computer (e.g., a terminal ID, date and time of the transaction, etc.) and data from the communication device (e.g., a device ID, the token, the token expiration date, etc.) to form the cryptogram).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, Radu, Williamson, and Patterson to incorporate the further teachings of Patterson for the authentication cryptogram to be an encrypted alphanumeric string issued by the user card transaction processing system, wherein the encrypted alphanumeric string to be a combination of data related to the first transaction and data related to the user card.
There is motivation to further combine Patterson into the combination of Gomes and Kenney because using cryptography helps protect card data and tokens and acts as proof of the interaction between the consumer and a merchant (Patterson Paragraph 0002).

Regarding Claim 10, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 1 above; however, the combination does not explicitly teach wherein the penalty amount to be charged is at least partly based on policies associated with the third-party service.
Patterson further teaches wherein the penalty amount to be charged is at least partly based on policies associated with the third-party service (Paragraph 0100 teaches Hotel and car rental agencies have a variety of use cases that present challenges when tokens are involved; some use cases include transactions involving incremental authorizations, no show charges, and ancillary charges; the merchant may properly disclose to the consumer that the consumer will be responsible for any charges associated with either the reservation or stay in accordance with the terms and conditions provided).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, Radu, Williamson, and Patterson to incorporate the further teachings of Patterson for the charged penalty amount to be at least partly based on policies associated with the third-party service.
There is motivation to further combine Patterson into the combination of McCarthy, Li, Radu, Williamson, and Patterson because identifying the no show transaction in the submitted transaction protects the merchant from chargeback (Patterson Paragraph 0103).

Regarding Claim 11, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 1 above; however, the combination does not explicitly teach wherein the request to charge a cancellation penalty and the penalty amount is submitted through a web-based user interface.
Patterson further teaches wherein the request to charge a cancellation penalty and the penalty amount is submitted through a web-based user interface (Paragraphs 0105, 0090, and 0092 teach merchants may be enabled to initiate a device not present (e.g., card not present) no show transaction without requiring storage of cryptography; for example, one or more of the authorization or clearing message may identify the transaction as one that involves a no show event, as well as reference the original authorization; the resource provider computer may generate a second authorization request message that contains a token obtained from a data store at the resource provider computer; the second authorization request message may comprise the token, an empty data field for a cryptogram, and additional data; the additional data may include a related transaction indicator and/or reference data associated with the first authorization request including a transaction ID, a time and date of the first authorization request, etc.; the processing network computer may receive, and may then determine that the second authorization request message contains the token then determine the real account identifier from the token).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, Radu, Williamson, and Patterson to incorporate the further teachings of Patterson for the request to charge a cancellation penalty and the penalty amount to be submitted through a web-based user interface.
There is motivation to further combine Patterson into the combination of McCarthy, Li, Radu, Williamson, and Patterson because the web-based user interface enables brick and mortar merchants to integrate their retail outlets with their web/mobile presence (Patterson Paragraph 0108).

Regarding Claim 12, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 1 above; however, the combination does not explicitly teach wherein the second transaction is initiated without re-verification of the user card information.
Patterson further teaches wherein the second transaction is initiated without re-verification of the user card information (Paragraph 0092 teaches the processing network computer may receive a second authorization request message that contains the token; the processing network computer may determine that the cryptogram data field is empty and that the additional data indicates that this second authorization request is tied to the first authorization request; the absence of the cryptogram in the cryptogram data field indicates to the processing network computer that the transaction may be processed (i.e., without re-verification), even though the token is being used in a domain that is different than its intended domain restriction; if the token issuer determines that the token is valid, the token issuer may then retrieve the real account number corresponding to the token from a database).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, Radu, Williamson, and Patterson to incorporate the further teachings of Patterson for the second transaction to be initiated without re-verification of the user card information.
There is motivation to further combine Patterson into the combination of McCarthy, Li, Radu, Williamson, and Patterson because a no-show transaction may be problematic when utilized with tokenization. To address this problem, merchants may be enabled to initiate a device not present (e.g., card not present) no show transaction without requiring storage of cryptography. For example, one or more of the authorization or clearing message may identify the transaction as one that involves a no-show event, as well as reference the original authorization. The no show transaction may be particularly useful in relevant merchant category codes (e.g., hotel, car rental, etc.) (Patterson Paragraph 0104-0105).

Regarding Claim 14, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 13 above; however, the combination does not explicitly teach wherein initiating the first transaction with the user card transaction processing system comprises: sending the user card information to a transaction processing system associated with the computing system; and causing the transaction processing system associated with the computing system to send an authentication request to the user card transaction processing system.
Williamson further teaches wherein initiating the first transaction with the user card transaction processing system comprises: sending the user card information to a transaction processing system associated with the computing system (Paragraph 0061 teaches authentication data is collected by token requestor and passed to token provider; the token provider evaluates the authentication data and generates one or more network confidence scores that represent a level of confidence as to whether the consumer is truly the authorized cardholder; these confidence scores are passed to issuer that either allows or denies the token creation process to proceed; after the issuer initiates token creation, the issuer determines whether to initiate an additional authentication and response query with the consumer); and causing the transaction processing system associated with the computing system to send an authentication request to the user card transaction processing system (Paragraph 0062 teaches the consumer receives an authentication request from issuer; this authentication request uses a preexisting method of communication that was previously set-up between cardholder associated with cardholder account and issuer; the authentication request may include a request for biometric data, an answer to a security question, a temporary password, a one-time code, or other data to confirm that consumer is cardholder associated with cardholder account).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, Radu, Williamson, and Patterson to incorporate the further teachings of Williamson for initiating the first transaction with the user card transaction processing system to comprise: sending the user card information to a transaction processing system associated with the computing system; and causing the transaction processing system associated with the computing system to send an authentication request to the user card transaction processing system.
There is motivation to further combine Williamson into the combination of McCarthy, Li, Radu, Williamson, and Patterson because of the same reasons listed above for claim 13.

Regarding Claim 15, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 13 above; however, the combination does not explicitly teach wherein causing initiation of at least one security measure comprises: determining that authentication of the user card information is required; and causing the user card transaction processing system to communicate the at least one security measure to the user device.
Williamson further teaches wherein causing initiation of at least one security measure comprises: determining that authentication of the user card information is required (Paragraph 0061 teaches the issuer determines whether to initiate an additional authentication and response query with the consumer, such as a separate authentication email and response); and causing the user card transaction processing system to communicate the at least one security measure to the user device (Paragraph 0062 teaches the consumer receives an authentication request from the issuer; the authentication request may be an email or a text message (SMS message) transmitted to the consumer with a link to click on to continue registration. In other embodiments, the authentication request may include a request for biometric data, an answer to a security question, a temporary password, a one-time code, or other data to confirm that the consumer is cardholder associated with cardholder account).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, Radu, Williamson, and Patterson to incorporate the further teachings of Williamson for causing initiation of at least one security measure comprises: determining that authentication of the user card information is required; and causing the user card transaction processing system to communicate the at least one security measure to the user device.
There is motivation to further combine Williamson into the combination of McCarthy, Li, Radu, Williamson, and Patterson because of the same reasons listed above for claim 13.

Regarding Claim 16, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 13 above; however, the combination does not explicitly teach wherein initiating the second transaction comprises using the authentication cryptogram and the user card information to transfer payment from the first account associated with the user card into the third account.
Patterson further teaches wherein initiating the second transaction comprises using the authentication cryptogram and the user card information to transfer payment from the first account associated with the user card into the third account (Paragraphs 0060 and 0064-0065 teach after the server computer receives the first authorization request message, the server computer verifies the cryptogram; in a second subsequent transaction that is linked to the first transaction, the server computer receives a second authorization request message comprising the token from the resource provider computer for a transaction conducted in a second domain; although the second subsequent transaction is being conducted via a different domain than the first transaction, the server computer will still continue to process the transaction and will not decline the transaction; this is because the server computer has determined that the current transaction is related to the first transaction and is not an original submission (i.e., server computer has the cryptogram from the first authorization request)).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, Radu, Williamson, and Patterson to incorporate the further teachings of Patterson for initiating the second transaction to comprise using the authentication cryptogram and the user card information to transfer payment from the first account associated with the user card into the third account.
There is motivation to further combine Patterson into the combination of McCarthy, Li, Radu, Williamson, and Patterson because using an authentication cryptogram helps protect card data and tokens and acts as proof of the interaction between the consumer and a merchant (Patterson Paragraph 0002).

Regarding Claim 19, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 17 above; however, the combination does not explicitly teach wherein the one or more computing devices are further configured to at least determine a value associated with the delayed transaction, wherein the value is based at least partly on a disclosure sent to the user device in connection with the user-initiated transaction, and wherein the user-initiated transaction comprises a zero-value transaction.
Patterson further teaches wherein the one or more computing devices are further configured to at least determine a value associated with the delayed transaction, wherein the value is based at least partly on a disclosure sent to the user device in connection with the user-initiated transaction, and wherein the user-initiated transaction comprises a zero-value transaction (Paragraphs 0103 and 0105 teach when a consumer completes a reservation with a hotel, the hotel may generate an authorization request to validate the consumer account; however, the account may not be charged until the consumer checks in; any cryptography associated with the initial authorization may not be stored by the merchant; if the consumer does not cancel the reservation prior to the “Terms and Conditions” provided by the merchant, it may be valid for the merchant to submit a transaction to charge the consumer; the no show transaction may be identified in the submitted transaction so that the merchant can be protected from chargeback; one or more of the authorization or clearing message may identify the transaction as one that involves a no show event, as well as reference the original authorization).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, Radu, Williamson, and Patterson to incorporate the further teachings of Patterson for the one or more computing devices to be further configured to at least determine a value associated with the delayed transaction, wherein the value is based at least partly on a disclosure sent to the user device in connection with the user-initiated transaction, and wherein the user-initiated transaction comprises a zero-value transaction.
There is motivation to further combine Patterson into the combination of McCarthy, Li, Radu, Williamson, and Patterson because of the same reasons listed above for claim 17.

Regarding Claim 20, the combination of McCarthy, Li, Radu, Williamson, and Patterson teaches all the limitations of claim 17 above; however, the combination does not explicitly teach wherein the authentication information comprises at least one of: an authentication cryptogram, or an authorized transaction identifier.
Williamson further teaches wherein the authentication information comprises at least one of: an authentication cryptogram, or an authorized transaction identifier (Paragraph 0063 teaches the issuer generates an accountholder authentication value (AAV) and sends the AAV to token requestor as proof of IDV; the AAV is a security code that connects cardholder's personally identity information to the token provisioning process).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of McCarthy, Li, Radu, Williamson, and Patterson to incorporate the further teachings of Williamson for the authentication information to comprise at least one of: an authentication cryptogram, or an authorized transaction identifier.
There is motivation to further combine Williamson into the combination of McCarthy, Li, Radu, Williamson, and Patterson because of the same reasons listed above for claim 13.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Singh et al. (US 20190228408) teaches a method for facilitating a transaction with a one-time number includes: receiving a first transaction request, wherein the first transaction request includes a plurality of data elements including at least a first data element configured to store a zero transaction amount and a second data element configured to store a primary account number; parsing the primary account number stored in the second data element included in the received first transaction request; generating a one-time value, wherein the one-time value includes a predetermined number of digits and a subset of the predetermined number of digits is a reference to the processing server; storing a data entry comprised of at least the parsed primary account number and the generated one-time value; and transmitting the generated one-time value in response to the received first transaction request.
Awasthi (US 20170076288) teaches a user may establish a relationship with a merchant so that the user can conduct repeated transactions with the merchant. The merchant computer associated with the merchant may store credentials associated with the user's account. The repeated transactions may not occur at regular intervals. The merchant may include an indicator in the authorization request messages for the user's transactions that indicates that the user is part of the established relationship. Hence, other entities that receive the indicator can accordingly identify and process the transaction as low risk, which results in higher approvals of the user's transactions conducted with the merchant.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY JONES whose telephone number is (469)295-9137.  The examiner can normally be reached on 7:30 am - 5:00 pm CST (M-F).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached at (571) 270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/COURTNEY P JONES/Examiner, Art Unit 3685