DETAILED ACTION

Status of Claims

Claims 1-7, 9-22, 24-35 & 37-47 are currently pending and have been examined in this application.  This NON-FINAL communication is in response to the amendment submitted on 4/11/22. 
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 4/11/22 has been entered.
 

Response to Arguments
Applicant's arguments filed regarding 101 have been fully considered but they are not persuasive. 

Issue #1
Applicant:  124452.00122/128594188v.5A. The claimed invention improves the functioning of the prior art merchant server itself by eliminating the need for that merchant server to include numerous components and to perform numerous computer processing steps required by the PCI Data Security Standard Claims that "purport to improve the functioning of the computer itself' are patent eligible under § 101.10 In Enfish, for example, the Federal Circuit held that claims directed to a "self- referential" table were patent eligible because the self-referential table allowed for faster searching of data, allowed for more effective storage of data other than structured text, and allowed more flexibility in configuring the database." To process payments prior to the claimed invention, prior art merchant systems were required to receive, store, and transmit cardholder data. Therefore, as described in paragraphs [0004]-[0005] of the instant specification, prior art merchant systems were required to comply with Payment Card Industry (PCI) Data Security Standards. The PCI Data Security Standard that was in place on the effective filing date of the present application" is attached as Appendix A. The claimed invention eliminates the need for merchant servers to receive, store, and transmit cardholder data by allowing those merchant servers to outsource the processing of cardholder data to the secure server. As a result, the claimed invention eliminates the need for that merchant server to comply with the PCI Data Security Standard of Appendix A. Instead, in the years since the claimed invention has become available, the Payment Card Industry Security Standards Council has published requirements applicable to "e-commerce merchants with a website(s) that does not itself receive cardholder data,"3 which are attached as Appendix B. The PCI Data Security Standard of Appendix B is applicable to "e-commerce merchants who Application No. 16/535,42415Docket No.: 124452.00122Amendment dated April 11, 2022Reply to Office Action of December 10, 2021partially outsource their e-commerce payment channel to PCI DSS validated third parties," meaning "All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor."  As described below, the PCI Data Security Standard of Appendix B does not require that merchant systems that outsource the processing of cardholder data to the secure server recited in the claims include a number of computer components or perform a number a computer processing steps that were required of prior art merchant systems that received cardholder data. Additionally, if any of the requirements of the PCI Data Security Standard of Appendix B are not applicable, that PCI Data Security Standard allows those merchants to simply indicate that those requirements are not applicable.15 Meanwhile, as described below, several requirements of the PCI Data Security Standard of Appendix B are not applicable to merchant systems that outsource the processing of cardholder data to the secure server recited in the claims. Therefore, just like the self-referential table at issue in Enfish improved the functioning of the computer itself, the claimed invention improves the functioning of the merchant server itself by eliminating the need for that merchant server to include the following components and to perform the following computer processing.  Prior to the claimed invention, prior art merchant systems were required to protect stored cardholder data by rendering any primary account number (PAN) unreadable anywhere it is stored16 by one-way hashing the entire PAN using strong cryptography, using index tokens and securely stored pads, or using strong cryptography with associated key-management processes and procedures. Prior art merchant systems were required to generate strong data-encrypting cryptographic keys, encrypt those data-encrypting cryptographic keys using key-encrypting 
Application No. 16/535,42416Docket No.: 124452.00122Amendment dated April 11, 2022Reply to Office Action of December 10, 2021cryptographic keys, store the key-encrypting cryptographic keys separately from the data- encrypting cryptographic keys, and securely distribute the data-encrypting cryptographic keys. Prior art merchant systems were required to change cryptographic keys that had reached the end of their cryptoperiod (e.g., after a defined period of time and/or a defined amount of ciphertext had been produced).22 Prior art merchant systems were also required to include functionality to retire or replace cryptographic keys when required,23 for example by destroying and/or revoking cryptographic keys and, if necessary, securely archiving those retired or replaced cryptographic keys (e.g., using a key encryption key).24 Prior art merchant systems were also required to mask PAN when displayed.25 
If the prior art merchant system used disk encryption,26 the prior art merchant system was required to manage logical access independently of native operating system access control mechanisms.27 A prior art merchant system was not compliant with the PCI Data Security Standard if it used local user account databases or tied decryption keys to user accounts.28 If the prior art merchant system used manual clear-text cryptographic key management operations, the prior art merchant system was required to provide functionality to manage those operations using split knowledge and dual control.29 For example, the PCI Data Security Standard suggested a system requiring two or three people, each knowing only their own key component, to reconstruct the whole key. To avoid the requirement to conduct quarterly manual reviews to verify that stored cardholder data did not exceed the requirements defined in the merchant's data retention policyDocket No.: 124452.00122Amendment dated April 11, 2022Reply to Office Action of December 10, 2021, a prior art merchant system was required to include a programmatic process to automatically remove stored cardholder data exceeding the requirements defined in the merchant's data retention policy. Except in limited circumstances,32 prior art merchant systems were required to perform a process to securely delete sensitive authentication data received from cardholders, including the full contents of any magnetic stripe or chip,33 any card validation code,34 and any personal identification number (PIN) or encrypted PIN block.35 While merchant systems that partially outsource their e-commerce payment channel using the claimed invention are still required to securely delete any sensitive authentication data they receive,36 the claimed invention allows merchant systems to process payments without receiving any sensitive authentication data. Prior art merchant systems were required to use strong cryptography and security protocols to safeguard sensitive cardholder data transmitted over open, public networks such as the Internet, wireless networks, and mobile networks.37 The PCI Data Security Standard suggested using SSL/TLS, IPSEC, or SSH to transmit sensitive cardholder data over open, public networks.38 Prior art merchant systems were required to accept only trusted cryptographic keys and/or certificates,39 to use a protocol implemented to use only secure configurations (that did not support insecure versions or configurations),40 and to use "the proper encryption strength" (according to vendor recommendations/best practices) for the encryption methodology in use.41 Prior art merchant systems were required to render PAN unreadable or secured with strong cryptography whenever sent to end-user messaging technologies such as email, instant Application No. 16/535,42418Docket No.: 124452.00122Amendment dated April 11, 2022Reply to Office Action of December 10, 2021messaging, or chat programs.42 Again, merchants who partially outsource their e-commerce payment channel using the claimed invention are still required to safeguard any sensitive cardholder data they transmit.43 However, the claimed invention allows merchant systems to process payments without transmitting any sensitive cardholder data. Wireless networks transmitting cardholder data or connected to the cardholder data environment were required to use industry best practices to implement strong encryption for authentication or transmission.44 The PCI Data Security Standard noted that the use of Wired Equivalent Privacy (WEP) as a security control was prohibited and suggested IEEE 802.1 li as an example of industry best practices.45 Note that the IEEE 802.1 li standard makes use of the Advanced Encryption Standard (AES) block cipher, which requires a dedicated chip that was not commonly included in most wireless network hardware.

Examiner:  The use of tokenization and applying the concept of tokenization to a particular server that outsources what the merchant server could have done to process a payment does not go beyond the ‘apply-it’ standard.  Applicant’s comparisons of the claims of the instant case with those of Enfish are not persuasive. In Enfish, the claims describe the steps of configuring a computer memory in accordance with a self-referential table. On the other hand the claims of the instant case employ a generic computer system comprising a memory and a generic processor with suitable programming to perform the claimed functions. The claims in the instant application are applying computers to a problem rooted in abstract idea. There are no improvements to another technology or technical field, no improvements to the functioning of the computer itself, transformation or reduction of a particular article to a different state or thing or any other meaningful limitations beyond what is mentioned in the rejection below using the claimed system. The claimed sequence of steps comprises only "conventional steps, specified at a high level of generality," which is insufficient to supply an "inventive concept." Id. at 2357 (quoting Mayo, 132 S. Ct. at 1294, 1297, 1300). Also the addition of merely novel or non-routine components to the claimed idea does not necessarily turn an abstraction into something concrete (See Ultramercial, Inc. v. Hulu, LLC, _ F.3d __, 2014 WL 5904902, (Fed. Cir. Nov. 14, 2014).

Issue #2
Applicant:  B. Additionally, because the secure server recited in the claims can perform cardholder data functions for multiple merchant servers, the claimed invention improves the functioning of the combined system for processing payments (i.e., both the merchant servers and the secure server) by eliminating redundant computer components and redundant processing steps - The claimed invention allows multiple merchant systems to outsource the processing of cardholder data to the secure server recited in the claims while maintaining PCI compliance as described in the PCI Data Security Standard of Appendix B. Accordingly, rather than each merchant system being required to include the required computer components, only the secure server is required to include many of the computer components required by the PCI Data Security Standard of Appendix A. Additionally, rather than each merchant system being required to perform each of the software processing steps required by the PCI Data Security Standard of Appendix A, many of those software processing steps are only required to be Application No. 16/535,42419Docket No.: 124452.00122Amendment dated April 11, 2022Reply to Office Action of December 10, 2021performed once by the secure server recited in the claims for each of those merchant systems to maintain PCI compliance.  When providing functionality for payers of multiple merchants to provide PAN (e.g., via an application programming interface (API) or a secure connection via the internet, such as a redirect URL or a widget or window within a website provided by the merchant server), the secure server can provide a single interface that masks that PAN when displayed,51 a single process to remove stored cardholder data exceeding the requirements defined in the secure system's data retention policy,52 and a single process to securely delete sensitive authentication data.  The secure system can protect that cardholder data for all of those merchant systems by generating strong data-encrypting cryptographic keys, encrypting those data-encrypting cryptographic keys using key-encrypting cryptographic keys, securely storing the cryptographic keys, and retiring or replacing the cryptographic keys when required. One particularly beneficial improvement provided by the claimed invention is the secure system can perform a single key rotation process and ensure that all cryptographic keys used for all merchants are changed before they reach the end of their cryptoperiod. While receiving and transmitting sensitive cardholder data for multiple merchants, the secure server recited in the claims only requires one set of components that uses strong cryptography and security protocols to safeguard that sensitive cardholder data during transmission over open, public networks56 (including wireless network hardware with the Application No. 16/535,42420Docket No.: 124452.00122Amendment dated April 11, 2022Reply to Office Action of December 10, 2021dedicated chip7 required by the IEEE 802.1 li standard58 if needed to transmit cardholder data wirelessly).

Examiner:  Outsourcing the processing to another device does not meaningfully reduce the processing that needs to occur in maintaining PCI compliance.  Similar to above, it does not go beyond the apply-it standard.  Where is the technical problem described in the specification as well as the technical solution, and where are said technical elements mapped to in the claim language? 

Issue #3
Applicant:   C. Processing a payment, by a server, is a technical process - In addition to improvements to computer functionality, the subject matter eligibility guidelines recognize that "an improvement to other technology or technical field" may integrate a judicial exception into a practical application under Prong Two of Step 2A or recite "significantly more" than an instruction to apply the judicial exception under Step 2B. In BASCOM, the claims were directed to filtering content on the internet.59 As described in BASCOM, prior art content filtering methods included installing filtering software on each local computer.60 However, it was "difficult and time consuming to install" that software "on every end-user's client machine."61 Other prior art methods included relocating the filtering software to a local server or an ISP.62 However, those "one-size-fits-all" solutions were not ideal because "a single set of filtering criteria is often not appropriate for all of the end-users."63 Therefore, the claims at issue in BASCOM provided individually customizable filtering at the remote ISP server.64 The ISP stored customized filtering mechanisms for different users, required each user to log in, and applied the filtering mechanisms associated with each user.65 The Federal Circuit noted that, when viewed individually, the claimed components ("local client computer," "remote ISP server," "Internet computer network," and "controlled access network accounts") were described in the specification as well-known, generic computer components.66 Meanwhile, the specification stated that "the filtering scheme" performed by those components "can be any of a number of known-schemes, or hybrids thereof."67 However, the Federal Circuit held that the claims were patent eligible under § 101 because the "particular arrangement of elements" was "a Application No. 16/535,42421Docket No.: 124452.00122Amendment dated April 11, 2022Reply to Office Action of December 10, 2021technical improvement over prior art ways of filtering such content." Installing a filtering tool at a location remote from the end-users, with customizable filtering features specific to each end user, gave that filtering tool both the benefits of a filter on a local computer and the benefits of a filter on the ISP server.68 The court also noted that the claims do not "preempt all ways of filtering content on the Internet" but "rather, they recite a specific, discrete implementation of the abstract idea of filtering content. " In DDR Holdings, the claims were directed to constructing and serving a hybrid web page that merges content associated with the products of the third-party merchant with stored "visually perceptible elements" from a host website. There, the specific issue was that, "upon the click of an advertisement for a third-party product displayed on a host's website, the host website would lose that visitor as he or she is "transported to the third party's website." To solve that problem, the claims were directed to "an automatically-generated hybrid web page that combines visual 'look and feel' elements from the host website and product information from the third-party merchant's website related to the clicked advertisement" so that, "rather than instantly losing visitors to the third-party's website, the host website can instead send its visitors to a web page on the outsource provider's server that 1) incorporates 'look and feel' elements from the host website, and 2) provides visitors with the opportunity to purchase products from the third- party merchant without actually entering that merchant's website." The Federal Circuit held that such claims were patent eligible "because they do not merely recite the performance of some business practice known from the pre-Internet world along with the requirement to perform it on the Internet" and instead provided a claimed solution that was "necessarily rooted in computer technology in order to overcome a problem specifically arising in the realm of computer networks." The court also noted that the claims "do not attempt to preempt every application of the idea of increasing sales by making two web pages look the same," but rather "recite a specific way to automate the creation of a composite web page by an 'outsource provider' that Application No. 16/535,42422Docket No.: 124452.00122Amendment dated April 11, 2022Reply to Office Action of December 10, 2021incorporates elements from multiple sources in order to solve a problem faced by websites on the Internet." In both instances, the Federal Circuit held that the claims improved a technical process.  As explained by the court in BASCOM:  Although the invention in DDR's patent was engineered in the context of retaining potential customers, the invention was not claiming a business method per se, but was instead claiming a technical way to satisfy an existing problem for website hosts and viewers. Similarly, although the invention in the '606 patent [at issue in BASCOM] is engineered in the context of filtering content, the invention is not claiming the idea of filtering content simply applied to the Internet. The '606 patent is instead claiming a technology-based solution (not an abstract-idea-based solution implemented with generic technical components in a conventional way) to filter content on the Internet that overcomes existing problems with other Internet filtering systems. By taking a prior art filter solution (one-size-fits-all filter at the ISP server) and making it more dynamic and efficient (providing individualized filtering at the ISP server), the claimed invention represents a software-based invention that improves the performance of the computer system itself.75 
Similarly, the claims at issue are directed to the technical process of processing a payment using a server. While the invention is used in service of a business transaction, the claims are not directed to the process of marketing or arranging that business transaction, but rather to the technical process of receiving, safeguarding, and transmitting cardholder data while complying with the PCI Data Security Standard. As described in the instant specification (e.g., with reference to FIGS. 4a through 41), receiving and transmitting cardholder data is a technical process. Meanwhile, as described in exhausting detail in Sections A and B above, complying with the PCI Data Security Standard to safeguard that cardholder data requires specific computer components and the performance of specific computer processing steps. 

Examiner:  The argument is not persuasive.  Regarding Bascom, applicant argues a non-conventional and non-generic arrangement. The BASCOM court agreed that the additional elements were generic computer, network, and Internet components that did not amount to significantly more when considered individually, but explained that the district court erred by failing to recognize that when combined, an inventive concept may be found in the non-conventional and non-generic arrangement of the additional elements, i.e., the installation of a filtering tool at a specific location, remote from the end-users, with customizable filtering features specific to each end user (note that the term "inventive concept" is often used by the courts to describe additional element(s) that amount to significantly more than a judicial exception). In BASCOM, as discussed in the specification, the one-size-fits-all filter on the local server was not ideal because “a single set of filtering criteria is often not appropriate for all of the end-users.” By taking a prior art filter solution (one-size-fits-all filter at the ISP server) and making it more dynamic and efficient (providing individualized filtering at the ISP server), the claimed invention in BASCOM represented a “software- based invention[ ] that improve[s] the performance of the computer system itself.” The specification in the instant application does not similarly describe technological problems with a technological solution. Instead, the specification describes a recognized business problem with a solution in the computer arts where a server is used to process information and perform computationally-intensive analysis for other locations (See 0004-0005 “Underlying software applications may require substantial modifications to achieve compliance, and significant changes in organizational structure and operating procedures may also1 124452.00122/121598033v.1be required. Thus, the time, effort, and cost required for merchants and processors to obtain PCI certification to receive and use credit card data are substantial”). Looking at the limitations in the instant application as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves any other technology. Their collective functions merely provide conventional computer implementation.  How is this invention like Bascom?  

Issue #4
Applicant: Application No. 16/535,42423Docket No.: 124452.00122Amendment dated April 11, 2022Reply to Office Action of December 10, 2021D. The claimed invention improves the prior art process of processing a payment by eliminating the need for merchants to integrate their systems with the components required for PCI compliance - Prior to the claimed invention, merchants were required to integrate their systems with the computer components required for PCI compliance described in Sections A and B above, while ensuring that those components did not negatively impact the functions performed by the merchant system, including the user experience provided to their customers. By enabling those merchants to outsource the processing of cardholder data to the secure server recited in the claims, the secure server and merchant server recited in the claims form a hybrid system (similar to the hybrid webpage76 at issue in DDR77) that enables merchants to focus their efforts on their own core systems - and the user experience provided to their customers - while maintaining compliance with the PCI Data Security Standard of Appendix B. 

Examiner:  As far as the comparison to DDR is concerned, the patent at issue in DDR provided and Internet-based solution to solve a problem unique to the Internet ( the problem in DDR Holdings (conventional Internet hyperlink protocol preventing websites from retaining visitors),  that (1) did not foreclose other ways of solving the problem, and (2) recited a specific series of steps that resulted in a departure from the routine and conventional sequence of steps after the click of a hyperlink advertisement. In the instant invention, the claimed solution is not necessarily rooted in computer technology in order to overcome a problem specifically arising in the realm of computer" analysis. Id.  Claim 1 generically requires “supervised machine learning”. It’s not clear how the generic recitations of a basic computer implementation/components integrates the judicial exception as to “impose[] a meaningful limit on the judicial exception, such that the claim is more than a drafting effort designed to monopolize the judicial exception.” Guidance, 84 Fed. Reg. at 53.  The applicant does not indicate that the operations of Claim 1 invoke any assertedly inventive programming, require any specialized computer hardware or other inventive computer components, i.e., a particular machine, or that the claimed invention is implemented using other than generic computer components to perform generic computer functions. See DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245.


Issue #5
Applicant: E. Additionally, the claimed invention improves the prior art process of processing a payment by eliminating the need for each merchant to perform numerous tasks to comply with the PCI Data Security Standard - As described above, the Federal Circuit in BASCOM held that filtering content at the ISP server (rather than on each end-user's client machine) was patent eligible under § 101 because it eliminated the "difficult and time consuming" process of installing software "on every end-user's client machine."  In addition to the required computer components and computer processing steps outlined in Sections A and B above, the PCI Data Security Standard also required that employees or agents of merchants using prior art merchant systems perform all of the tasks outlined in detail below. By providing functionality for multiple merchants to outsource the processing of Application No. 16/535,42424Docket No.: 124452.00122Amendment dated April 11, 2022Reply to Office Action of December 10, 2021cardholder data, the claimed invention improves the prior art process of processing a payment by eliminating the need for each merchant to individually perform those tasks. Therefore, just like BASCOM's process of filtering internet content by an ISP server (rather than on each end-user's client machine) improved the prior art internet content filtering processes, outsourcing the receipt, storage, and processing of cardholder data from each merchant's system to the secure server recited in the claims improved the prior art payment processing process by eliminating the need for each merchant to each perform all of those tasks. Prior to the claimed invention, merchants using prior art merchant systems were required to verify that the prior art merchant systems complied with each and every one of the requirements above. To protect stored cardholder data, merchants were required to implement data retention and disposal policies, procedures, and processes to keep cardholder data storage to a minimum.79 To comply with the PCI Data Security Standard, the data retention and disposal policy was required to limit data storage and retention time "to that which is required for legal, regulatory, and business requirements."0 Merchants were required to have specific retention requirements for all cardholder data"1 specifying the time period that cardholder data needed to be stored and the legal, regulatory, or business reason why that cardholder data needed to be stored for that time period.82 The data retention and disposal policy was also required to include provisions for secure disposal of data (including disposal of cardholder data) when no longer needed for those legal, regulatory, or business reasons.83 If the merchant system did not include the programmatic process to automatically remove stored cardholder data exceeding the requirements defined in the merchant's data retention policy, the merchant was required to conduct quarterly reviews to verify that stored cardholder data did not exceed the requirements defined in the merchant's data retention policy.  Application No. 16/535,42425Docket No.: 124452.00122Amendment dated April 11, 2022Reply to Office Action of December 10, 2021Merchants were required to examine data sources - including incoming transaction data, all logs (e.g., transaction logs, history logs, debugging logs, and error logs), history files, trace files, several database schemas, and database contents - to verify that the full contents of magnetic stripes or chips,85 card validation codes,86 and PINs or encrypted PIN blocks87 were not stored under any circumstance. To verify that displayed PAN was masked, merchants were required to obtain and examine writing policies and examine displays of PAN (e.g., on screen or on paper receipts) to verify that the PAN was masked88 and examine documentation about the system, including the vendor, the type of system/process, and any applicable encryption algorithms.89 To verify that stored PAN was rendered unreadable, merchants were required to examine documentation about the system, including the vendor, the type of system/process, and any applicable encryption algorithms.90 Additionally, merchants were required to confirm that PAN was rendered unreadable by examining several tables or files from a sample of data repositories,91 a sample of removable media (e.g., back-up tapes),92 and a sample of audit logs.93 To protect cryptographic keys, merchants were required to document and implement key- management processes and procedures.94 The key-management processes and procedures were required to restrict access to the fewest number of custodians necessary95 and to store cryptographic keys in the fewest possible locations and forms.96 Merchants were required to periodically change cryptographic keys once they reached the end of their cryptoperiod (for example, as after a defined period of time had passed and/or after a defined amount of cipher- text had been produced) as defined by the associated application vendor or key owner and based Application No. 16/535,42426Docket No.: 124452.00122Amendment dated April 11, 2022Reply to Office Action of December 10, 2021on industry best practices and guidelines (e.g., NIST Special Publication 800-57).97 Merchants were also required to retire or replace cryptographic keys if the cryptographic key was suspected of being compromised98 or when the integrity of the cryptographic key had been weakened (for example, if an employee with knowledge of a clear-text cryptographic key left the organization), for example by destroying and/or revoking cryptographic keys and, if necessary, securely archiving those retired or replaced cryptographic keys (e.g., using a key encryption key).  If the merchant system used manual clear-text cryptographic key management operations, the merchant was required to manage those operations using split knowledge and dual control.101 For example, the PCI Data Security Standard suggested a system requiring two or three people, each knowing only their own key component, to reconstruct the whole key.102 The merchant key-management procedures were required to prevent unauthorize substitution of cryptographic keys.103 Merchants were required to obtain written or electronic acknowledgement from all custodians of the cryptographic keys that those custodians understood and accepted their key- custodian responsibilities. 104 
Merchants were required to observe a sample of transactions as they occurred to verify that cardholder data was encrypted during transit.105 For SSL/TLS implementations, merchants were required to verify that HTTPS appeared as a part of the browser Universal Record Locator (URL) and that no cardholder data was required when HTTPS does not appear in the URL.106 Merchants were also required to maintain a policy stating that unprotected PANs were not to be sent via end-user messaging technologies.

Examiner:  See responses to Issue #1-3.


Application No. 16/535,42427Docket No.: 124452.00122Amendment dated April 11, 2022Reply to Office Action of December 10, 2021Issue #6
Applicant:  F. The specific processing steps recited in the claims are not "extra-solution activity" and the Patent Office provides no evidence that those processing steps were so "widely prevalent or in common use in the relevant industry" that they "need not be described in detail in the patent specification" to satisfy the written description requirement of 35 U.S.C. § 112(a) To support a factual determination that claimed features were "well-understood, routine, conventional activity," the subject matter eligibility guidelines require factual evidence that the specific "combination"108 of elements recited in the claims were so "widely prevalent or in common use in the relevant industry" that they "need not be described in detail in the patent specification" to satisfy the written description requirement of 35 U.S.C. § 112(a).109 The pending Office Action provides no evidence that the specific processing steps recited in the claims performed by the secure server recited in the claims are known, let alone so "widely prevalent" that they did not need description in a patent specification.  The Interview Summary states that "the additional insignificant extra solution activity amount only to data gathering and data storing that are recognized by courts as well-understood routine conventional." First, the term "extra-solution activity" refers to "activities incidental to the primary process or product that are merely a nominal or tangential addition to the claim."110 Here, the claimed processing steps are not "incidental to the primary process" or "merely a nominal or tangential addition to the claim." Instead, performing those processing steps by the secure server (thereby outsourcing the processing of cardholder data) differentiates the claimed invention from a conventional transaction where a payer provides financial account information directly to the merchant server. Second, courts have not held that performing the specific "combination" of features recited in the claims - a secure server receiving an electronically-generated payment transaction instruction from a merchant server, establishing a secure connection via the internet with a computing system used by the payer to receive financial account information provided by the payer, receiving the financial account information provided by the payer via the secure connection, providing an electronic data token (representing the financial account information Application No. 16/535,42428Docket No.: 124452.00122Amendment dated April 11, 2022Reply to Office Action of December 10, 2021provided by the payer) to the merchant server without providing the financial account information to the merchant server and without providing the electronic data token to the payer, storing the financial account information provided by the payer, and processing the payment using the financial account information provided by the payer - are well-understood, routine or conventional. 

Examiner:  Per the 101 rejection below, the claims do not recite significantly more.  It’s not clear how the solution overcomes the “apply-it” standard regarded in the rejection (applicant points to the well-known and conventional WURC standard, which the Examiner did not apply in the rejection).


No Prior Art rejection

Claims 1-7, 9-22, 24-35 & 37-47 overcome 35 U.S.C. 102/103 for the following reasons:  

Based on prior art search results, the prior art of record neither anticipates nor renders obvious the claimed subject matter, as a whole or taken in combination, and does not teach:

establishing a secure connection via the internet between the secure server and a computing system used by the payer to receive financial account information provided by the payer; receiving the financial account information provided by the payer via the secure connection; 

The closest prior art of record includes:

Tieken (US 20110161233) provides a method for providing secure transactions that include receiving an identifier of a financial account at a payment processor system (secure server).

Fleishman (US 20040148252) provides a person-to-person (P2P) payment platform and identity management system which facilitates online banking by allowing consumers to send and receive money in real-time, with no special registration outside of the users' existing banking relationship, and under the security, brand and control of their own respective banks. 

Double Patenting

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Issued Patents

Claims 1-7, 9-22, 24-35 & 37-47 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claims 1-26 of U.S. Patent No. 10423940 or ‘940 (15/408185). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are taught by the intervening claims associated with patent (‘940).


Claim 31. (instant application)

‘940 teaches the following limitations: 

A method of enrolling a payer by a merchant server operated by or for the benefit of a payee, the method comprising: receiving enrollment data identifying a payer; 

(‘940 – [Claim 1])

generating an electronic instruction for a secure server that includes at least one data element associated with the payer, 

(‘940 – [Claim 1])


the electronic instruction requesting the establishment of a secure connection via the internet between the secure server and a computing system used by the payer for the secure server to 

(‘940 – [Claim 4])


receive financial account information provided by the payer; 

(‘940 – [Claim 1])


outputting the electronic instruction to a communications network for transmittal to the secure server; 

(‘940 – [Claim 1])

receiving, from the secure server, an electronic data token representing financial account information received by the secure server via the secure connection, wherein the merchant server does not receive the financial account information represented by the electronic data token and the secure server does not provide the electronic data token to the payer; 

(‘940 – [Claim 1])


storing the electronic data token in association with the enrollment data identifying the payer; and 

(‘940 – [Claim 1])


processing a payment from the payer by electronically generating a payment transaction instruction that includes a representation of the electronic data token and 

(‘940 – [Claim 1])



instructs a payment processing system having access to the financial account information represented by the electronic data token.

(‘940 – [Claim 1])



	

Claim Rejections - 35 USC § 101

35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-7, 9-22, 24-35 & 37-47 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
The claims are either directed to a system or method, which is one of the statutory categories of invention.  (Step 1: YES).
The Examiner has identified method Claim 31 as the claim that represents the claimed invention for analysis and is similar to system Claims 46 and method/system (Claim 1 & 16).  Claim 31 recites the limitations of (additional elements emphasized in bold and are considered to be parsed from the remaining abstract idea): 


A method of enrolling a payer by a merchant server operated by or for the benefit of a payee, the method comprising: receiving enrollment data identifying a payer; generating an electronic instruction for a secure server that includes at least one data element associated with the payer, the electronic instruction requesting the establishment of a secure connection via the internet between the secure server and a computing system used by the payer for the secure server to receive financial account information provided by the payer; outputting the electronic instruction to a communications network for transmittal to the secure server; receiving, from the secure server, an electronic data token representing financial account information received by the secure server via the secure connection, wherein the merchant server does not receive the financial account information represented by the electronic data token and the secure server does not provide the electronic data token to the payer; storing the electronic data token in association with the enrollment data identifying the payer; and processing a payment from the payer by electronically generating a payment transaction instruction that includes a representation of the electronic data token and instructs a payment processing system having access to the financial account information represented by the electronic data token.



which is a process that, under its broadest reasonable interpretation, covers performance of the limitation(s) as a Certain method of organizing human activity (fundamental economic practice or commercial or legal interaction) of processing a payment from a payer to a payee.  

If a claim limitation, under its broadest reasonable interpretation (BRI), covers performance of the limitation as a certain method of a fundamental economic practice or commercial or legal interaction, then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas.  

Accordingly, the claim recites an abstract idea. (Step 2A-Prong 1: YES. The claims are abstract)
This judicial exception is not integrated into a practical application. Limitations that are not indicative of integration into a practical application include:  (1) Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea (MPEP 2106.05.f), (2) Adding insignificant extra-solution activity to the judicial exception (MPEP 2106.05.g), (3) Generally linking the use of the judicial exception to a particular technological environment or field of use (MPEP 2106.05.h).  The servers, secure connection via the internet, computing system, communications network and payment processing system in Claim 31 (as well as processors, memory of Claim 16 and the processors, non-transitory CRM of Claim 46) are just using generic computer components.  The computer hardware is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts to no more than mere instructions to implement an abstract idea by adding the words “apply it” (or an equivalent) with the judicial exception.  Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Therefore claim 31 is directed to an abstract idea without a practical application.  (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when considered separately and as an ordered combination, they do not add significantly more (also known as an “inventive concept”) to the exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using computer hardware amounts to no more than mere instructions to implement an abstract idea by adding the words “apply it” (or an equivalent) with the judicial exception.  Mere instructions to implement an abstract idea on or with the use of generic computer components, cannot provide an inventive concept - rendering the claim patent ineligible. Thus claim 31 is not patent eligible. (Step 2B: NO. The claims do not provide significantly more)  
The dependent claims further define the abstract idea that is present in their respective independent claims and hence are abstract for at least the reasons presented above.  The dependent claims do not include any additional elements (including Claim 4, 19 & 33 - API/ website – which is just a computer tool used to further implement the abstract idea; Claims 6, 21 & 34 – API/ website – which is just a computer tool used to further implement the abstract idea; Claims 9, 24, 37 & 47 – widget – a computer tool used to implement the abstract idea; Claim 10/11, 25/26, 38/39 – URL – which is just a form of data representation; Claim 12, 27, 40 – synchronous secure connection – which further implements the abstract idea using generic computer components) that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception when considered both individually and as an ordered combination.  Therefore, the dependent claims are directed to an abstract idea.  Thus, the aforementioned claims are not patent-eligible.
 
	

Conclusion
The prior art made of record, and not relied upon, considered pertinent to applicant' s disclosure or directed to the state of art is listed on the enclosed PTO-892.  
The following is a brief description for relevant prior art that was cited but not applied:	

Hammad (US 20120259782) provides a method for authenticating a cardholder using multiple tokenization authentication.

Hammad (US 20120136796) provides a method of enrolling a mobile device in a program that provides the mobile device with the ability to conduct card-present transactions.

Stringfellow (US 20120030066) provides a payment system that processes payment authorization requests for payment transactions to be conducted via a data communications network on behalf of online merchants, and is particularly, but not exclusively, suited to the processing of orders placed by financial instrument holders.

Moore (US 20100235286) provides a method and system for generating tokens in a transaction handling system. 

Basu (US 9342832) provides a method for securing external systems with account token substitution.

Yanni (US 20040098350) provides a framework and system for purchasing of goods and services.

	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULMAJEED AZIZ whose telephone number is (571)270-5046. The examiner can normally be reached M-F 7-4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ryan Donlon can be reached on 571-270-3602. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ABDULMAJEED AZIZ/Primary Examiner, Art Unit 3695