DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Status
As of the Office Action dated July 7, 2022 claims 1-20 were pending and claims 1-20 stood rejected.  Claims 1-3, 5-6, 9-10 and 19 have been amended.  No claims have been added or cancelled.  Claims 1-20 are therefore currently pending and are presented for examination on the merits.
Response to Arguments
Applicant’s argument with regard to the 35 U.S.C. § 103 rejection of claims 1-20 as being unpatentable over Donaldson et al. (U.S. Patent Publication 2019/0116037, now U.S. Patent 10,708,054, hereinafter referred to as Donaldson) has been fully considered but is not persuasive.  The argument states that the both the Donaldson patent and the instant application are commonly owned by Visa International Service Association and therefore the Donaldson reference is disqualified as prior art under 35 U.S.C. § 102 (b)(2)(C).  The condition for disqualifying a reference under 35 U.S.C. § 102 (b)(2)(C) per MPEP § 2154.02(c) is that the cited prior art reference constitutes prior art under 35 U.S.C. § 102 (a)(2) i.e. that the effective filing date of the application under examination precedes the date of publication of the cited reference.  However the Donaldson reference was published prior to the effective filing of the instant application.  Donaldson was published on April 18, 2019 and the effective filing date of the instant application is July 19, 2019 based on the filing date of provisional application 62/876,187 and therefore Donaldson falls under the provisions of 35 U.S.C. § 102 (a)(1) and not the provisions of 35 U.S.C. § 102 (a)(2).  Therefore the conditions for disqualifying the Donaldson reference under 35 U.S.C. § 102 (b)(2)(C) have not been met.
Having established that the Donaldson reference is not disqualified under 35 U.S.C. § 102 (b)(2)(C) Examiner than reviewed the conditions for establishing that a 35 U.S.C. § 102 (a)(1) reference is disqualified under the provisions of 35 U.S.C. § 102 (b)(1) which defines the exceptions to the categories of prior art defined in AIA  35 U.S.C. § 102 (a)(1).  Per MPEP § 2153.01(a), which is applicable to rejections utilizing prior art that meets the conditions of AIA  35 U.S.C. § 102 (a)(1), prior art can be excluded if the following conditions have been met and “if it is apparent from the disclosure itself that it is by the inventor or a joint inventor”, those conditions being:
(1) [The disclosure] was made one year or less before the effective filing date of the claimed invention;
(2) [The disclosure] names the inventor or a joint inventor as an author or an inventor; and 
(3) [The disclosure] does not name additional persons as authors on a printed publication or joint inventors on a patent.
As further explained by MPEP § 2153.01(a):
This means that in circumstances where an application names additional persons as joint inventors relative to the persons named as authors in the publication (e.g., the application names as joint inventors A, B, and C, and the publication names as authors A and B), and the publication is one year or less before the effective filing date, it is apparent that the disclosure is a grace period inventor disclosure, and the publication would not be treated as prior art under AIA  35 U.S.C. 102(a)(1). If, however, the application names fewer joint inventors than a publication (e.g., the application names as joint inventors A and B, and the publication names as authors A, B and C), it would not be readily apparent from the publication that it is by the inventor (i.e., the inventive entity) or a joint inventor and the publication would be treated as prior art under AIA  35 U.S.C. 102(a)(1).
Clearly condition 1 is met because the Donaldson reference (April 18, 2019) was published only three months prior to the effective filing date of the instant application as provisional application 62/876,117 was filed on July 19, 2019 and appears to meet the requirements of 35 U.S.C. § 112 (a) in supporting the claims of application 16/931,516.  With regard to condition 2 the Donaldson reference names the following four inventors:
Donaldson; James
Prokop; Bartlomiej
John; Rhidian
Looney; Thomas
The instant application names the following inventors:
Prokop; Bartlomiej Piotr
John; Rhidian Desmond Thomas
Looney; Thomas Joseph
Hodkinson; Timothy
Carroll; Bryan
Morgan; Nathan
McManus; Brian
Machicao; Andre Walter
Florez; Clinton Lopaka
Dutta; Rajiv
Donaldson; James
Agrawal; Shobhit
McGurk; Niall
Therefore with regard to condition 2 all of the inventors named in the Donaldson reference are also listed as inventors in the instant application.  Therefore condition 2 is satisfied.  With regard to condition 3 no inventors who were listed in the published reference are omitted in the instant application and therefore there is no question as to whether or not it is “readily apparent” from the publication that inventorship was performed by other persons because of the continuity of inventorship between the Donaldson reference and the instant application as demonstrated by the fact that all four inventors listed in Donaldson are also listed as inventors in the instant application.  Because it is “readily apparent” that the disclosure is a grace period inventor disclosure it cannot be treated as 35 U.S.C. § 102 (a)(1) prior art per MPEP § 2153.01(a).  This analysis is equally applicable to rejections made under either 35 U.S.C. § 102 as anticipation or those made under 35 U.S.C. § 103 under obviousness (MPEP § 2152.02 (b) “Thus, the description requirement of AIA  35 U.S.C. 102(a)(1)  and (a)(2)  does not preclude an examiner from applying a disclosure in an obviousness rejection under AIA  35 U.S.C. 103  simply because the disclosure is not adequate to anticipate the claimed invention.”.  Therefore Examiner is deeming that the previous rejection under section 103 was improper as the prior art cited in the rejection was directed towards an exception provided under 35 U.S.C. § 102 (b)(1) and will be withdrawn.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 2-3 and 11-12 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 2 recites “…receiving, from the merchant system associated with the merchant webpage, a selected payment method, and generating a consumer data capture field comprising at least one consumer data capture field based on the selected payment method”.  Claim 11 contains a similar recitation.   Because the word comprising is stated in MPEP § 2111.03 (I) as being “synonymous with ‘including’, ‘containing’ or ‘characterized by’” it is unclear how a consumer data capture field can comprise itself or contain itself.  Alternatively if a claim term “contains itself” it is unclear how this places any limiting effect on the term, particularly since the “basis” for the “based on the selected payment method” is not readily apparent particularly in light of the fact that neither claim 2 or claim 1 upon which it depends appears to use the recited consumer data capture field for any purpose nor is it readily apparent from the claim at what point this operation would be performed.  
Claim 3 recites “…generating normalized payment information by normalizing the payment information based on the payment method, wherein the transient payment token comprises the normalized payment information”.   Claim 12 contains a similar recitation.  The written description at paragraph 0047 recites that “As used herein, the term “account identifier” may include one or more primary account numbers (PANs), tokens, or other identifiers associated with a customer account.  The term “token” may refer to an identifier that is used as a substitute or replacement identifier for the original account identifier, such as a PAN”.  The written disclosure does not directly define what constitutes “normalization” but at most only suggests that normalization per paragraph 0062 involves insuring that the payment information is properly formatted “…By normalizing the acceptance and formatting of the payment information, the merchant webpage 110 is able to accept multiple types of payment options utilizing a single client-side script”.  Paragraph 0058 of the written description defines payment information as “(e.g., a method of payment, a PAN or other account identifier, expiration date, security code, verification value, transaction amount and/or the like)”.  If the term “payment information” is read as being a “PAN or other account identifier” than “normalizing” a “PAN or other account identifier” would appear per paragraph 0062 to be an operation of verifying the formatting of a PAN or other account identifier and possibly modifying the PAN or other account identifier by reformatting such as removing spaces, adding spaces or other operations that are not addressed by the written disclosure.  However even with such a modification the reformatted PAN would still be a PAN.  If then the token “comprises the normalized payment information” then the token would be the PAN itself which is inconsistent with how paragraph 0047 of the written disclosure defines a token.  Alternatively if “normalizing” does not operate on any particular field in the payment information which can per paragraph 0058 be “(e.g., a method of payment, a PAN or other account identifier, expiration date, security code, verification value, transaction amount and/or the like)” but operates on for example spacing between these fields the manner in which the disclosure describes the payment information still would allow for the possibility that the token comprises an actual PAN plus additional fields such as “…expiration date, security code, verification value, transaction amount and/or the like” but would still include an actual PAN which appears to be inconsistent with the language of paragraph 0047 regarding a token “…The term “token” may refer to an identifier that is used as a substitute or replacement identifier for the original account identifier, such as a PAN” because a normalized PAN or normalized payment information would still not incorporate a “substitute or replacement identifier for the original account identifier, such as a PAN”.  Therefore it is unclear how to interpret the language “wherein the transient payment token comprises the normalized payment information” because a fair read on the term normalized payment information would appear to be inconsistent with a fair read on how the written disclosure defines a token if the token comprises normalized payment information since the definition recites that a token is substituting or replacing an original account identifier or PAN.  For purposes of claim interpretation the term “token” will be interpreted as a substitute or replacement identifier for the original account identifier, such as a PAN and the claim will be viewed as reading that the token is a substitute for a PAN or PAN in combination with other elements.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim 1, 4, 7-10, 13 and 16-19 are rejected under 35 U.S.C. 102 (a)(1) and (a)(2) as being anticipated by Hagan et al. (U.S. Patent Publication 2018/0060867, hereinafter referred to as Hagan).
As per claims 1, 10 and 19
Hagan discloses receiving from a merchant system associated with a merchant webpage, a payment data capture request ([0025] “The SS interface can be hosted by a merchant's e-commerce web server or other networked web server or a server farm in communication with the merchant's web server, wherein such other servers can be provided, owned and operated by any party. The SS interface can provide direct and secure communication with a data encryption and/or tokenization server, referred to herein as the “SS server”, in support of the performance of an electronic payment transaction. The SS interface promotes the seamless integration into the merchant’s e-commerce website of the interface to the data encryption and/or tokenization capabilities without redirection from or loss of a user or customer from the merchant's e-commerce site”, 0029 “ As part of the electronic payment transaction (checkout) process a “checkout” button is presented by the shopping cart, or other functionality, and upon selection/clicking of this button the website can initiate performance of the merchant’s checkout process which may direct the customer to a checkout page or form. The checkout page, or at least a part of the checkout page, may request or require the customer to enter various information, which may or may not be considered sensitive information. For instance, the customer can or may not be required to enter their shipping address and select a preferred shipping method, and can or may not be requested to respond to a customer satisfaction survey or enter customer loyalty/reward program information. Upon capture of information that the merchant's checkout process determines necessary or required, the checkout process via the checkout form may present the customer with additional information requests regarding billing information”)
Hagan discloses generating, with at least one processor, web payment capture data based on the payment data capture request, the web payment capture data configured to adapt the merchant webpage to receive payment information input by a user ([0032] The merchant server hosts the SS integrated checkout page/form which can include an implementation of the SS interface as either (1) two JavaScript files; (2) two JavaScript files and one or more IFrames; or (3) one or more IFrames. The SS interface can also be referred to herein as an “override”, “override window”, “interrupt” or “secure submission window”. The JavaScript files and/or Iframes can establish a communication link or interface to an SS server, which is a networked server that hosts a unique single JavaScript library and provides for the tokenization of data during performance of an electronic payment transaction over a networked e-commerce website”, [0041] “The Iframe(s) configured SS interface can be one or more code insertions and/or HTML documents that can be integrated within another HTML document. Therefore, one exemplary configuration provides an SS interface configured with both a JavaScript override (as described above) and an IFrame, which is an HTML element that inserts content (also referred to herein as a window(s)), hosted in part or in total, by the merchant server or SS server, into the merchant's checkout form. Another exemplary configuration provides an SS interface wherein the JavaScript override and any other inserted content is established in and as part of the IFrame being hosted, in part or in total, by the merchant server and/or SS server”
Hagan discloses communicating, to merchant system the web payment capture data [0041]);
Hagan discloses receiving, directly from a client computer via at least one client-side script executed by the client computer based on the web payment capture data, the payment information input by the user ([0030] “The checkout form may present the customer with one or more data entry or input fields, a billing information screen or window to capture this type of billing information or other information. The merchant’s capture of billing information can be enabled in various manners by the website. For example, a billing information screen may be displayed or perceived as an integrated part of the checkout form, a separate and distinct webpage from that of the checkout page or as a window or other subordinate display feature within the overall display framework of the checkout page. The billing information screen can display a customer perceived view containing one or more various data input fields for capturing various information items, such as the billing name, address and credit card and/or debit card fields (card number, expiration day, expiration year and CSC or CVV). Still further, such a billing information screen can present a “confirm” or “submit” button that enables the consumer or other user to post or transmit a transaction authorization request. Such transaction authorization requests being typically submitted or posted to a payment processing network through one or more servers, networked to the merchant server, that provide the gateway or entry point to a system for handling the transaction authorization and all other back-end transaction processing (i.e., clearance and settlement) for performance of an electronic payment transaction”, [0033] “The SS interface overrides or interrupts the posting (submission or transmission) of a checkout request or transaction authorization request from the merchant server to a payment processing network”, [0034] “In embodiments, the JavaScript implementation of an SS interface may be integrated with the merchant checkout form and upon selection of a submit or confirm button found on such an SSCF, the JavaScript override may temporarily prevent the posting of the SSCF to a payment processing network for transaction authorization”, [0035] “For the SSCF, selection of the submit or confirm button can also trigger or initiate the transmission of a tokenization request to the SS server before the transaction authorization request is allowed to be posted. The tokenization transmittal is a secure transmission protected using one or more data security/encryption protocols. A tokenization request transmittal can include various data elements, either as individual or accumulated elements, captured from one or more of the data entry or input fields enabled and presented by the SSCF, a merchant’s checkout form, a window on the website and/or a billing information screen. The data elements can include items such as a personal account number (PAN), other consumer payment information or other sensitive data)” see also [0059] and [0061])
Hagan discloses generating, with at least one processor, a transient payment token based on the payment information (Figure 1 element 120, Figure 2 element 220, 0065, 0076-0077)
Hagan discloses directly communicating the transient payment token to the client computer (0076 “The SUPT generated by the SS server is securely transmitted back to the SS interface and, therefore, the merchant server. This transmission can also be encrypted and protected using protocols, as has been previously described herein. The transmission of the SUPT allows the merchant server to utilize the SUPT in completing the checkout form and the electronic payment transaction process as described herein” in light of 0023 and 0037 where per 0023 the SS interface is described as being either on a server and/or a user computing device “A configuration for the current invention is as a set of computer executable instructions embodied within a computer readable medium is commonly referred to herein as the “SS Software” or “SS interface”. The functional capabilities provided by the SS Software, when loaded in whole or part upon a server and/or user computing device” and in 0037 “The SS server tokenizes the data received, generating a transaction specific, single use payment token (SUPT) and then securely transmits the SUPT to the merchant server via the SS interface”, see also 0040 that the SS interface may be JavaScript code to be rendered by a web browser,  0077 “It is contemplated that the SUPT, once generated, may be transmitted to various networked locations and various networked devices. In such an alternative embodiment, the SUPT may be transmitted to and stored in a consumer device, such as a mobile telephone (e.g., a “smart” phone) or other personal digital assistant (PDA), and may be presented electronically at a point of sale (POS) or point of transaction (POT) as legal tender of a specific, previously-authorized payment useful in completing, or helping to complete, an identified transaction, or as evidence of credit or other binding payment authorization”) (Examiner deems that 0076 when read in light of 0023 and 0037 where the SS interface is residing on the user computing device would convey to those skilled in the art that the generated token would be placed into the Iframe/JavaScript interface for passing on to the merchant server when the checkout form is submitted and that in 0077 the token is simply passed to the user computing device for later use).
As per claims 4 and 13
Hagan discloses wherein the web payment capture data is configured to adapt the merchant webpage by: generating, on the merchant webpage, at least a portion of a graphical user interface (GUI) configured to receive the payment information from the user (0055 “A GUI may be used in any of the embodiments for the current invention. Through an interface of windows, menus (pull-down or otherwise), and/or toolbars, GUI operating systems simplify device operation. The use of windows is conventional in GUIs for software applications and are typically utilized to provide end users (consumers) of applications with display of and/or access to available information, choices or processing options while using the application(s). For example, in a typical interactive web browser application, a window can provide the context within which a display of the contents of a web page from a hosted website occurs on the end users device”)
Hagan discloses configuring the at least one client-side script to validate the web payment capture data and process the payment information (0074 “Verification may fail where the data entry within a particular input field does not meet the predetermined requirements. Verification failure may result in various outcomes which can include anything from various prompting of the consumer to complete the unverified data field to transaction denial”, 0075 “a validation process(es) may execute that provides one or more forms of confirmation for the data entered. This confirmation may be anything from a user prompt asking for an action to indicate that the data entered is accurate, to an automated check or comparison of the entered data against a stored data set, to further providing an interactive functionality that allows for correction of any incorrect entered data”, 0032 “The merchant server hosts the SS integrated checkout page/form which can include an implementation of the SS interface as either (1) two JavaScript files; (2) two JavaScript files and one or more IFrames; or (3) one or more IFrames. The SS interface can also be referred to herein as an “override”, “override window”, “interrupt” or “secure submission window”. The JavaScript files and/or IFrame(s) can establish a communication link or interface to an SS server, which is a networked server that hosts a unique single JavaScript library and provides for the tokenization of data during performance of an electronic payment transaction over a networked e-commerce website”)
As per claims 7 and 16
Hagan discloses wherein the web payment capture data is configured to adapt the merchant webpage by configuring the merchant webpage to initiate a transaction through a single Application Programming Interface (API) call (0032 “The merchant server hosts the SS integrated checkout page/form which can include an implementation of the SS interface as either (1) two JavaScript files; (2) two JavaScript files and one or more IFrames; or (3) one or more IFrames. The SS interface can also be referred to herein as an “override”, “override window”, “interrupt” or “secure submission window”. The JavaScript files and/or IFrame(s) can establish a communication link or interface to an SS server, which is a networked server that hosts a unique single JavaScript library and provides for the tokenization of data during performance of an electronic payment transaction over a networked e-commerce website”, 0033 “It is understood that the integrated/embedded JavaScript file(s) on a merchant checkout form can establish or integrate a JavaScript library from any networked location within the electronic transaction processing capabilities being enabled over an e-commerce website. The addition of the JavaScript to the SSCF or other merchant's server hosted web-page(s) can occur in one of two ways. For instance, Script tags can be placed in a webpage and the JavaScript code can be placed inside of those or all JavaScript code can be placed in another file and linked to by a Script tag. In preferred embodiments, the SS interface is implemented as a Script tag(s) containing or linking to two JavaScript files. However, the number of files (i.e., JavaScript or otherwise) employed may be any number that is necessary for proper implementation of the SS interface in various different online e-commerce transaction system environments and over any networked computing device. It is contemplated that integrating a JavaScript library can be enabled using various technologies, such as jQuery, Angular, Prototype or other code(s)/file(s) as are commonly employed by those skilled in the field”)
As per claims 8 and 17
Hagan discloses wherein the at least one client-side script is configured to pass the transient payment token from the client computer to the merchant system via the merchant webpage (0076 “The SUPT generated by the SS server is securely transmitted back to the SS interface and, therefore, the merchant server. This transmission can also be encrypted and protected using protocols, as has been previously described herein. The transmission of the SUPT allows the merchant server to utilize the SUPT in completing the checkout form and the electronic payment transaction process as described herein” in light of 0023 and 0037 where per 0023 the SS interface is described as being either on a server and/or a user computing device “A configuration for the current invention is as a set of computer executable instructions embodied within a computer readable medium is commonly referred to herein as the “SS Software” or “SS interface”. The functional capabilities provided by the SS Software, when loaded in whole or part upon a server and/or user computing device” and in 0037 “The SS server tokenizes the data received, generating a transaction specific, single use payment token (SUPT) and then securely transmits the SUPT to the merchant server via the SS interface”, see also 0040 that the SS interface may be JavaScript code to be rendered by a web browser)
As per claims 9 and 18
Hagan discloses receiving the transient payment token from the merchant system; and generating an authorization request based on the transient payment token (0038 “In such embodiments the SS server, along with its tokenization capabilities, can provide various transaction functionalities, including authorization functionality, for the payment processing network. In such a system embodiment, the SS server's transaction authorization functionality is initiated by the merchant server's posting of the complete checkout form. It is contemplated that a transaction authorization request can be submitted by the merchant server simultaneously with the transmission of a tokenization request”, 0061 “Alternatively, the tokenization request can be separate from and/or transmitted separately from the transaction authorization request and/or require some manner of manual interaction to begin”, 0114 “As described herein, transaction performance over an SS system can require the generation and transmission of an SUPT as a necessary component of any transaction authorization request and therefore any transaction approval from which the merchant receives valid merchandise orders”)
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-3 and 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Hagan as applied to claims 1 and 10 above, and further in view of Bu (U.S. Patent 11,429,951)
As per claims 2 and 11
Hagan, while disclosing the limitations of claims 1 and 10, does not explicitly disclose receiving, from the merchant system associated with the merchant webpage, a selected payment method, and generating a consumer data capture field comprising at least one consumer data capture field based on the selected payment method.  Bu teaches receiving, from the merchant system associated with the merchant webpage, a selected payment method (18:14-28 “In some examples of the present disclosure, different data entry, elements within iframes are shown or hidden (or sometimes partially hidden) at different times within the configurable element. Consider again the single line iframe discussed further above. It includes four data entry elements in a single line for capturing payment information. In one related example of this type, a field for entry of a postal code is not presented at all unless the payment processor detects that the end user's card is from a country where postal code verification is actually required. In this way, the inadvertent submission of protected information regulated, for example, by (PCI) requirements can be minimized, or prevented altogether, as the “sensitive” fields are withheld until it can be verified they are needed through information entered into another non-sensitive field”)
Bu teaches generating a consumer data capture field comprising at least one consumer data capture field based on the selected payment method (18:14-28)
It would have been obvious to one of ordinary skill in the art at the time of the invention to combine the secure electronic transaction processing with integrated data tokenization of Hagan with the secure data management of Bu for the purpose of providing safe and convenient method for handling regulated (PCI) payment information and other sensitive information (1:55-58).
As per claims 3 and 12
Hagan discloses that the token is a substitute for a PAN or PAN in combination with other elements (0035, 0037)
Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Hagan as applied to claims 1 and 10 above, and further in view of Paya et al. (U.S. Patent 8,931,084, hereinafter referred to as Paya).
As per claims 5 and 14
Hagan, while disclosing the limitations of claims 1 and 10, does not explicitly disclose generating a cryptographic signature of the web payment capture data, wherein the at least one client-side script is configured to validate the web payment capture data based on the cryptographic signature.  However as the written disclosure describes that the web payment capture data may be implemented using IFrames or JavaScript it would be reasonable for those skilled in the art to consider known work in other fields of endeavor based on design incentives if the variations are predictable.  Paya teaches performing integrity checks on scripts and executable content (9:61-10:6 “In another case, the secret is used as an input to a cryptographic integrity check (e.g. used to compute the MAC which then gets placed in the annotation.)  No script or other executable content on a page can be executed until the integrity verification is completed by integrity checker 370. This means that browser 150 may need to hold off on passing any code to the scripting engine 212. As an example, this can be partially mitigated by allowing the script sections to be validated piecemeal, by having several integrity checks each covering different, non-overlapping sections of the document. In this way, as soon as executable content in one section is validated, it can be passed to be rendered by browser 150's rendering engine after it is parsed”, 11:42-55 “Thus, a hacker could perpetrate a DOM-based XSS attack on the outer frame by embedding malicious JavaScript in the URL of a site they control and tricking the user to navigate to that site. Furthermore, many of the effects (e.g. malicious effects) that JavaScript (or other executable content) can perpetrate occur through the Document Object Model (DOM) provided by browsers. This includes making network requests, which would be a fundamental need for most malicious sites, to send the data they have stolen back to the origin of such malicious sites.  In an embodiment, to prevent DOM-based XSS attacks, server 110 tags the page with integrity verifying HMACs that allow script verifier 310 to identify the signature of the JavaScript expected to run on the page”.
It would have been obvious to one of ordinary skill in the art at the time of the invention to combine the secure electronic transaction processing with integrated data tokenization of Hagan methods for scripting defense of Paya for the purpose of avoiding the vulnerabilities found in internet content such as cross-site scripting (1:18-19).
Claims 6 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Hagan as applied to claims 1 and 10 above, and further in view of DeTella et al. (U.S. Patent 10,565,596, hereinafter referred to as DeTella).
As per claims 6 and 15
Hagan, while disclosing the limitations of claims 1 and 10, does not explicitly disclose encrypting the payment information with the at least one client-side script based on a public key embedded in the web payment capture data.  DeTella teaches encrypting the payment information with the at least one client-side script based on a public key embedded in the web payment capture data (6:61-66 “In one embodiment, the data entered in the sensitive data form fields is encrypted prior to transmission. In one embodiment, the data is encrypted by a function provided in the JavaScript file, and is encrypted using a public key provided by the third party payment processor”)
It would have been obvious to one of ordinary skill in the art at the time of the invention to combine the secure electronic transaction processing with integrated data tokenization of Hagan with the hosted sensitive data form fields of DeTella for the purpose of complying with security standards for accepting sensitive data (1:53-54).
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Hagan as applied to claim 19 above, and further in view of Brotsky et al (U.S. Patent Publication 2017/0098215, hereinafter referred to as Brotsky).
As per claim 20
Hagan, while disclosing the limitations of claim 19, does not explicitly disclose wherein at least a portion of the payment information is stored only in active memory.  Brotsky teaches wherein at least a portion of the payment information is stored only in active memory (Claim 16 in conjunction with claim 18, 0016 “The data protection system sanitizes online data by isolating and/or removing sensitive information included in the online data. The sensitive information may include personal information, financial information, information about a purchase, medical records, and/or proprietary information. In one specific example, the sensitive information includes credit card information such as a credit card number, card verification codes (e.g., CVV numbers), and an expiration date. Sanitizing the online data at the data protection system may include replacing the sensitive information with obfuscated data that is a representation of the information being replaced. For optimal security and to reduce applicable security compliance requirements, storage of sensitive information at the data protection system may be limited to short time-durations (e.g., measurable in seconds or milliseconds) and/or stored in volatile memory”
It would have been obvious to one of ordinary skill in the art at the time of the invention to combine the secure electronic transaction processing with integrated data tokenization of Hagan with the data protection system for online data of Brotsky for the purpose of complying with requirement including computers involved in the exchange of the credit card data [[that]] are required to meet particular security compliance requirements regarding processing, storing, and/or transmitting of the data (0001).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Solat (“Security of Electronic Payment Systems: A Comprehensive Survey”, January 1, 2017, 29 pages) describes various types of payment systems including those using IFrames (4.1.2 on page 9) and Java Card applets (9.3, page 22).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES D NIGH whose telephone number is (571)270-5486. The examiner can normally be reached 6:00 to 9:45 and 10:30 to 2:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on (571) 270-1492. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAMES D NIGH/           Senior Examiner, Art Unit 3685