DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Response to Amendment
Applicant’s “Amendment” filed on 09/08/2022 has been considered.
Claims 18-37 remain pending in this application and an action on the merits follow.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 18-37 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by U.S. Patent Application Publication No. 2017/0163617 to Laxminarayanan et al.
With regard to claims 18, 26, and 34, Laxminarayanan discloses a system for accessing protected data comprising: 
a token retriever system operating on a first processor and configured to receive a token of encrypted data from a device and to transmit a request including the token to a detokenization system over a data communications medium (Fig. 1, paragraphs 45, 57, 66, 72, and 82, In some embodiments, the user device 120 may also store a payment token. Some or all of this data may be securely stored via hardware (e.g., a secure element) or software (e.g., host card emulation or other encryption techniques). The user device 120 may be able to use payment credentials and/or payment tokens for transactions. The resource provider computer 530 may encrypt the payment token, the token expiration date, the verification value, and/or any other suitable information sent in an authorization request message. For example, the token processing module 150F may contain logic that causes the processor 150A to detokenize a payment token in an authorization request message. The detokenization module 170F may comprise code that causes the processor 170A to detokenize payment tokens. For example, the detokenization module 170F may contain logic that causes the processor 170A to identify a token record associated with a payment token in the token record database 170C. A set of payment credentials associated with the payment token (as indicated in the token record) can then be identified. In some embodiments, the detokenization module 170F may include instructions to detokenize a payment token in response to a detokenization request message (e.g., received from the transaction processing computer 150 or any other suitable entity). Examiner notes that the transaction processing computer can be considered as “a token retriever system” and the detokenization module 170F may contain logic that causes the processor 170A, which can be considered as “a detokenization system”. Examiner notes that a detokenization request message can be considered as “a request including the token”); 
the detokenization system operating on a second processor and configured to receive the token and to transmit a response to the request that includes an account number associated with the token if the request has been received from an authorized source (Fig. 4, Paragraphs 42-43, 45, 82, and 144, The token provider may support token processing of payment transactions submitted using tokens by de-tokenizing the token to obtain the actual PAN. A token requestor may be identified by a “token requestor identifier.” A token requestor identifier may be a set of letters, numbers, or any other suitable characters for identifying a token requestor.  The token domain controls may restrict the use of the token with particular presentment modes, such as contactless or e-commerce presentment modes. In some embodiments, the token domain controls may restrict the use of the token at a particular merchant that can be uniquely identified. At step 534, the token provider computer 570 can send a detokenization response message back to the transaction processing computer 550. The detokenization response message may include the payment credentials, the payment token, a transaction ID, and/or any other suitable information. Examiner notes that payment channels allowed in the token domain can be considered as “an authorized source”. Examiner notes that the detokenization response message can be considered as “a response to the request that includes an account number associated with the token”. If the request has been received from an authorized source (condition A), the detokenization system transmits a response to the request that includes an account number associated with the token (step A). If condition A is not occurred, step A is not invoked. Therefore, this limitation has no patentable weight); and 
wherein the token retriever system is configured to receive the account number and to display the account number for a predetermined period of time (paragraphs 38, 120-123, 144, and 151, At step 534, the token provider computer 570 can send a detokenization response message back to the transaction processing computer 550. The detokenization response message may include the payment credentials, the payment token, a transaction ID, and/or any other suitable information. “Payment credentials” may include any suitable information associated with an account (e.g., a payment account and/or payment device associated with the account). Such information may be directly related to the account or may be derived from information related to the account. Examples of payment credentials may include a PAN (primary account number or “account number”), user name, and an expiration date. The transaction processing computer can utilize the received payment credentials including a payment account to process a transaction. It’s well known that the account number can be displayed to be shown on a POS device and the account number will be delated for a specific time frame for security reason).  
With regard to claims 19, 27, and 35, Laxminarayanan discloses the token retriever system is configured to receive an access device and to determine whether the access device is associated with an authorized user (fig. 1, paragraphs 57, 118, and 121, The user device 120 may as well as personal information such as a name, address, email address, phone number, or any other suitable user 110 identification information. For example, the user device 120 may be able to transmit payment credentials and/or payment tokens over-the-air to the resource provider computer 130 during internet transactions and/or in-app transactions.  a domain control may be assigned to the payment token specifying that only the resource provider computer 530 is authorized to use the payment token for a transaction. The payment token may only be considered valid if accompanied by an approved token requestor ID or other identifier associated with the resource provider computer 530. The payment token may be associated with a user account, a user device 520 identifier, or otherwise associated with the user. As a result, the payment token can be identified and utilized for future transactions between the user and resource provider).  
With regard to claims 20, 28, and 36, Laxminarayanan discloses the detokenization system further comprises a limit system configured to limit a number of detokenization procedures from the token retriever system within a predetermined period of time (paragraphs 141 and 143, The token provider computer 570 may determine whether the current authorization request message violates any domain controls. For example, the token provider computer 570 can determine whether the payment token and verification value are being used within an allowed timeframe, being used for a transaction underneath a maximum threshold value, being submitted by an allowed merchant, token requestor, and/or acquirer, and otherwise check for approved usage conditions.  If the verification value is validated and the domain controls are met, the token provider computer 570 may proceed to detokenize the payment token. It’s well known that s system processing has limited processing power to process multiple tasks at the same time. Therefore, it’s well known to utilize a limit system to limit the maximum processing tasks that can be processed at the same time to reduce overload problems).  
With regard to claims 21, 29, and 37, Laxminarayanan discloses the detokenization system further comprises a terminal management system configured to interface with the token retriever system and to authenticate the token retriever system (paragraphs 47 and 99, A “verification value” may include information for authentication. The verification data validation module 170H may then, in conjunction with the processor 170A, regenerate the verification value based on the identified dynamic data element and the received token, the received token expiration date, the received token requestor ID, and/or any other suitable information. The regenerated verification value can be compared with the received verification value. If the values match, the received verification value may be considered authentic and validated).  
With regard to claims 22 and 30, Laxminarayanan discloses the detokenization system further comprises a terminal management system configured to interface with the token retriever system and to replace a security certificate at the token retriever system (paragraph 80, generating, by the second computer, a first verification value based on the root security value and the token; providing, by the second computer, the first verification value to the first computer).  
With regard to claims 23 and 31, Laxminarayanan discloses the detokenization system further comprises a terminal management system configured to interface with the token retriever system and to determine a state of operation of the token retriever system (paragraph 184, Embodiments of the invention can also advantageously introduce these methods for controlling payment tokens through verification values and dynamic data elements without requiring the merchant computer, acquirer computer, or issuer computer to make any changes. merchant and acquirer system updates would be needed in order to accommodate token cryptograms for online transactions).  
With regard to claims 24 and 32, Laxminarayanan discloses the detokenization system further comprises a security access system configured to interface with the token retriever system and an access device and to determine whether the access device is associated with an authorized user (paragraphs 22, 57-58, and 96, an access token can represent a set of access credentials, but the access token may only be accepted for a transaction if accompanied by an authentic verification value. The user device 120 may store or have access to certain types of user information. Also, the user device 120 may be able to transmit (e.g., via NFC, Bluetooth, RF, QR, etc.) payment credentials and/or payment tokens to an access device (e.g., a POS terminal) during in-person transactions. The resource provider computer 130 may be associated with a resource provider, which may be an entity that can provide a resource such as goods, services, information, and/or access. Examples of a resource provider include merchants, access devices, secure data access points, etc. A merchant may typically be an entity that engages in transactions and can sell goods or services, or provide access to goods or services. The verification data validation module 170H may include instructions for using the received data and/or stored data to validate the use of the token and verification value).  
With regard to claims 25 and 33, Laxminarayanan discloses the token retriever system further comprises a first security access system configured to interface with an access device and to determine whether the access device is associated with an authorized user, and the detokenization system further comprises a second security access system configured to interface with the first security access system and the access device and to determine whether the access device is associated with an authorized user (paragraphs 22, 28, 57-58, and 96, As a result, sensitive information that can be used to overcome security barriers (e.g., the verification value) are not stored, but an incoming verification value can still be validated by re-creating the verification value with the stored dynamic data element. Thus, security is improved because sensitive information is not stored or vulnerable.).

Response to Arguments
Applicants' arguments filed on 09/08/2022 have been fully considered but they are not fully persuasive especially in light of the previously reference applied in the rejections. 
Applicants remark that “Laxminarayanan does not disclose the detokenization system operating on a second processor and configured to receive the token and to transmit a response to the request that includes an account number associated with the token if the request has been received from an authorized source, and wherein the token retriever system is configured to receive the account number and to display the account number for a predetermined period of time”.
Examiner does not agree. Under broadest reasonable interpretation, the scope of the independent claims 18, 26 and 33 positively discloses “a token retriever system operating on a first processor and configured to receive a token of encrypted data from a device and to transmit a request including the token to a detokenization system over a data communications medium, the detokenization system operating on a second processor and configured to receive the token”. However, the scope of the claims does not disclose “the detokenization system…to transmit a response to the request that includes an account number…if the request has been received from an authorized source, wherein…and to display the account number for a predetermined period of time”. If the request has been received from an authorized source (condition A is occurred), transmit a response to the request that includes an account number and display the account for a predetermined period of time (Step A is performed). Condition A is occurred, Step A is performed. Under broadest reasonable interpretation, conditional limitation includes condition A is not occurred, Step A is not performed. Therefore, the limitation has no patentable weight. The scope of the claims includes condition A is not occurred/triggered (i.e., the request has not been received from an authorized source), step A is not performed (i.e., the detokenization system does not transmit a response … and since there is no response received by the token retriever system, there is no account number can be displayed for a predetermined period of time. Therefore, the limitation “the detokenization system…to transmit a response to the request that includes an account number … if the request has been received from an authorized source, and wherein the token retriever system …to display the account number for a predetermined period of time” has no patentable weight in the scope of the claims. 
Applicants remark that “a official notice for displaying the account number for a predetermined period of time is not a well-known technology”.
Examiner does not agree. For examination purpose, a prior art is provided to support this limitation “display the account number for a predetermined period of time” is a well-known technology for protecting secure account number information.
  Laxminarayanan discloses the token retriever system is configured to receive the account number (the transaction processing computer receives the detokenization response message which includes the payment credentials, wherein the payment credentials may include any suitable information associated with an account (e.g., a payment account and/or payment device associated with the account). However, Laxminarayanan does not disclose displaying the account number for a predetermined period of time. 
However, Celikyilmaz teaches displaying the account number for a predetermined period of time (paragraphs 148 and 153, The mobile device can be configured, for example, to present the account number (302) on a display device and determine the position (e.g., location (413)) of the mobile device (409) while the account number (302) is presented on the display device. The time period of the display of the account number (302) on the mobile application (407) can be limited to encourage the determination of the position (e.g., location (413)) of the mobile device (409) in the vicinity of the transaction terminal (105). The account number (302) may be set to be valid for one time use within a predetermined period of time. The mobile device (407) may further include a display device, on which the mobile application (409) is configured to present the account number (302) while determining the location (413) of the mobile device (409).)
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention was made to modify Laxminarayanan to include, displaying the account number for a predetermined period of time, as taught in Celikyilmaz, in order to  receive an account number (302) for the initiation of a transaction using the transaction terminal (105) (Celikyilmaz, paragraph 150).
Conclusion
Please refer to form 892 for cited references.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication from the examiner should be directed to Ariel Yu whose telephone number is 571-270-3312. The examiner can normally be reached on Monday-Friday 9:00am-5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nathan Uber can be reached on 571-270-3923.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ARIEL J YU/Primary Examiner, Art Unit 3687