DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	The Action is responsive to Applicant’s amendment, filed on July 1, 2022. 
3.	Claims 1-20 are pending. 

Response to Arguments
4.	Applicant’s arguments with respect to claims 1-20 have been considered but are not persuasive at least for the following reason: 
Applicant argues in substance that “Neither Vogel nor Grzymala-Busse teaches or suggests identifying a series of consecutive digits having a same length or a same range of lengths as a complete length or a complete range of lengths of sensitive data of interest, such as a bank card number, which may, for example, have a length of 13 to 16 digits before evaluating those digits. Rather, the teachings of Vogel are limited to identifying a particular number (e.g., a 4), and then determining whether a certain pattern (e.g., three more digits followed by a dash, followed by a second group of four
digits, followed by a second dash, followed a third group of four digits, followed by a third dash, followed by a fourth group of four digits) (1.e., 18 characters) follows that particular number. Grzymala-Busse ambiguously mentions that data “formatted in the manner expected for credit card numbers (i.e. number of digits, arrangement of numbers, first four digits, etc.)” may be used to determine whether data may correspond to a credit card number. Grzymala-Busse, paragraph [0047]. Grzymala-Busse does not teach or suggest that the length of consecutive digits is determined before the data is further evaluated.
Moreover, neither Vogel nor Grzymala-Busse teaches or suggests that once a series of
consecutive digits of requisite length (or within a requisite range of lengths) has been identified as a potentially sensitive data string, a subseries of digits is evaluated, one by one and in sequence, to determine whether or not the subseries corresponds to a known identifier of sensitive data, such as a bank identification number. Although Grzymala-Busse teaches that the first four digits of a number may provide information about whether data is formatted in a manner consistent with a credit card number, that comparison apparently includes the wholesale comparison of the first four digits to a database of four digit numbers that are known to be used at the beginning of a bank card number. In any event, neither Vogel nor Grzymala-Busse provides any specific teaching or suggestion as to how the first four digits are evaluated. Nor has
the Office identified any teaching or suggestion of the processes required by independent claims 1, 10, and 15 from Vogel or Grzymala-Busse. Thus, neither Vogel nor Grzymala-Busse…” However, Examiner respectfully disclose that the mentioned combination discloses the discussed “once a series of consecutive digits of requisite length (or within a requisite range of lengths) has been identified as a potentially sensitive data string, a subseries of digits is evaluated, one by one and in sequence, to determine whether or not the subseries corresponds to a known identifier of sensitive data, such as a bank identification number” 
a merchant with a merchant collection system that receives bank card transaction information comprising data including potentially sensitive information subject to data security standards and a merchant memory device associated with the merchant collection system; (Vogel: Page 5, [0047])  an approved scanning vendor with a scanning device  capable of communicating with a-the merchant memory to determine compliance by the merchant collection system with data security standards applicable to the bank card information, the scanning  device programmed to: scan the merchant memory device to identify a series of consecutive digits having a same ((Vogel: Page 1, [0005]), Vogel: Page 5, [0047]).
	 evaluate at least one digit of a subseries of consecutive digits within the series of consecutive digits to determine whether the subseries of consecutive digits corresponds to a known identifier of the sensitive data of interest(Vogel: Page 6, [0058]; the data is scanned for a substring of bytes that begins with a particular character ("4") and is followed by three decimal numbers, a hyphen, and so on) including:  a comparison of a first value of a first digit of the subseries of consecutive digits to a group consisting of known values of first digits of a plurality of identifiers of the sensitive data of interest (Vogel: Page 6, [0058]);
if the first value of the first digit does not correspond to a first known value of a first digit of a bank identification number, terminating evaluation of the series of consecutive digits; if the value of the first digit matches a known value of first digits of the plurality of identifiers of the sensitive data of interest
	 a comparison of a second value of a second digit of the subseries of consecutive digits to a group consisting of values of second digits known to correspond to the value of the first digit in a plurality of identifiers of the sensitive data of interest (Vogel: Page 6, [0058], the first comparison of number “4” is compared as an example); if the second value of the second digit matches a known value of second digits of the plurality of identifiers of the sensitive data of interest, and the second value of the second digit does not correspond to a second known value of a second digit of a bank identification number, terminating the evaluation of the consecutive digits: ) Vogel: Page 6, par [0058], “The particular form of each recognizable pattern used in searching the data will preferably depend on the type of sensitive data that the pattern indicates. As one examples, a recognizable pattern for a payment card number may take the form of a sequence of characters that begins with a "4" and is then followed by 3 numeric characters, a first dash, 4 numeric characters, a second dash, 4 numeric characters, a third dash, and 4 number characters (i.e., 4???-????-????-????).” Vogel recites comparing different types and beginning with a “4” being the first comparison and followed by 3 numeric characters, still compares the mentioned numbers.)
if the second value of the second digit matches a known value of second digits of the plurality of identifiers of the sensitive data of interest,  if the second value of the second digit does not correspond to a second known value of a second digit of a bank identification number, terminating the evaluation of the consecutive digits; Vogel: Page 6, par [0058], “The particular form of each recognizable pattern used in searching the data will preferably depend on the type of sensitive data that the pattern indicates. As one examples, a recognizable pattern for a payment card number may take the form of a sequence of characters that begins with a "4" and is then followed by 3 numeric characters, a first dash, 4 numeric characters, a second dash, 4 numeric characters, a third dash, and 4 number characters (i.e., 4???-????-????-????).” Vogel recites comparing different types and beginning with a “4” being the first comparison and followed by 3 numeric characters, still compares the mentioned numbers.)
and a comparison of a third value of a third digit of the subseries of consecutive digits to a group consisting of values of third digits known to correspond to the value of the second digit in at least one identifier of the sensitive data of interest (Vogel: Page 6, [0058]); and if the third value of the third digit does not correspond to a third known value of a third digit of a bank identification number, terminating evaluation of the consecutive digits: and if the third value of the third digit matches a known value of third digits of the plurality of identifiers of the sensitive data of interest   Vogel: Page 6, par [0058], “The particular form of each recognizable pattern used in searching the data will preferably depend on the type of sensitive data that the pattern indicates. As one examples, a recognizable pattern for a payment card number may take the form of a sequence of characters that begins with a "4" and is then followed by 3 numeric characters, a first dash, 4 numeric characters, a second dash, 4 numeric characters, a third dash, and 4 number characters (i.e., 4???-????-????-????).” Vogel recites comparing different types and beginning with a “4” being the first comparison and followed by 3 numeric characters, still compares the mentioned numbers.)
	identify each series of consecutive digits that includes a subseries of consecutive digits with first, second, and third digits with values that correspond to values of at least one identifier of the sensitive data of interest as a suspected sensitive data string (Vogel: Page 6, [0059]; suspected sensitive data is identified). 
	Vogel does not explicitly disclose identifying a series of consecutive digits having a same length or a same range of lengths as a complete length or a complete range of lengths of sensitive data of interest, in which each digit of the series of consecutive digits is a decimal number (Vogel: Page 6, [0058]; a pattern for sensitive data may be provided including a string of decimal numbers. The data is character data (sequential bytes), see page 3, [0030]).
	Vogel disclose the comparison of number and Grzymala-Busse teaches that credit cards may be represented as a specific combination of numbers as follows: 
 (Grzymala-Busse: [0047]), and may be arranged in a variety of formats. 
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, both references are related to evaluating data strings.
In view of the above, the Examiner contends that all limitations as recited in the claims have been addressed in this Action.           For the above reasons, the Examiner believes that the rejections of the last Office action were proper.
Double Patenting
5.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

6.	Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-13 of U.S. 10,679,218. Although the claims at issue are not identical, they are not patentably distinct from each other because, see table below:

16/897,048
10,679,218
1. A system for identifying potentially sensitive information, comprising: a collection system that receives data including potentially sensitive information; an approved scanning vendor with a scanning device that communicates with the collection system and is programmed to: scan the collection system to identify any potentially sensitive data strings, each potentially sensitive data string comprising a series of consecutive digits having a same length or a same range of lengths as a complete length or a complete range of lengths of sensitive data of interest in which each digit of the series of consecutive digits is a decimal number; sequentially and individually evaluate a subseries of consecutive digits at a beginning of the series of consecutive digits of each potentially sensitive data string to determine whether the subseries of consecutive digits corresponds to a known identifier of the sensitive data of interest.
2. The system of claim 1, wherein the approved scanning vendor is programmed to: compare a first value of a first digit of the subseries of consecutive digits to a group consisting of known values of first digits of a plurality of identifiers of the sensitive data of interest; and if the first value of the first digit does not correspond to a first known value of a first digit of a bank identification number, terminate evaluation of the series of consecutive digits; or if the first value of the first digit matches a known value of first digits of the plurality of identifiers of the sensitive data of interest, compare a second value of a second digit of the subseries of consecutive digits to a group consisting of values of second digits known to correspond to the first value of the first digit in a plurality of identifiers of the sensitive data of interest.
3. The system of claim 2, wherein the approved scanning vendor is further programmed to: if the second value of the second digit does not correspond to a second known value of a second digit of a bank identification number, terminate the evaluation of the consecutive digits; or if the second value of the second digit matches a known value of second digits of the plurality of identifiers of the sensitive data of interest, compare a third value of a third digit of the subseries of consecutive digits to a group consisting of values of third digits known to correspond to the value of the second digit in at least one identifier of the sensitive data of interest.


1.  A system for identifying potentially sensitive information, comprising: a merchant with a merchant collection system that receives bank card transaction information comprising data including potentially sensitive information subject to data security standards and a merchant memory device associated with the merchant collection system; an approved scanning vendor with a scanning device capable of communicating with the merchant memory device to determine compliance by the merchant collection system with data security standards applicable to the bank card transaction information, the scanning device programmed to: scan the merchant memory device to identify any potentially sensitive data strings, each potentially sensitive data string comprising a series of consecutive digits having a same length or a same range of lengths as a complete length or a complete range of lengths of sensitive data of interest in which each digit of the series of consecutive digits is a decimal number; sequentially and individually evaluate a subseries of consecutive digits at a beginning of the series of consecutive digits of each potentially sensitive data string, including evaluation of at least one digit of the subseries of consecutive digits within the series of consecutive digits of each potentially sensitive data string to determine whether the subseries of consecutive digits corresponds to a known identifier of the sensitive data of interest, including: a comparison of a first value of a first digit of the subseries of consecutive digits to a group consisting of known values of first digits of a plurality of identifiers of the sensitive data of interest; if the first value of the first digit does not correspond to a first known value of a first digit of a bank identification number, terminating evaluation of the series of consecutive digits; if the first value of the first digit matches a known value of first digits of the plurality of identifiers of the sensitive data of interest, a comparison of a second value of a second digit of the subseries of consecutive digits to a group consisting of values of second digits known to correspond to the first value of the first digit in a plurality of identifiers of the sensitive data of interest; if the second value of the second digit does not correspond to a second known value of a second digit of a bank identification number, terminating the evaluation of the consecutive digits; if the second value of the second digit matches a known value of second digits of the plurality of identifiers of the sensitive data of interest, a comparison of a third value of a third digit of the subseries of consecutive digits to a group consisting of values of third digits known to correspond to the value of the second digit in at least one identifier of the sensitive data of interest; if the third value of the third digit does not correspond to a third known value of a third digit of a bank identification number, terminating evaluation of the consecutive digits; and if the third value of the third digit matches a known value of third digits of the plurality of identifiers of the sensitive data of interest, identify each potentially sensitive data string that includes a subseries of consecutive digits with first, second, and third digits with values that correspond to values of at least one identifier of the sensitive data of interest as a sensitive data string.


Claim Rejections - 35 USC § 103
7.	The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.


8.	Claims 1, 9-12, 15, 18-20 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over US 2008/0216174 to Vogel et al, hereinafter “Vogel”, and further in view of US 2011/0040983 to Grzymala-Busse et al, hereinafter “Grzymala-Busse”.
As to claim 1, 10, and 15, Vogel discloses a system for identifying potentially sensitive information, comprising:
a merchant with a merchant collection system that receives bank card transaction information comprising data including potentially sensitive information subject to data security standards and a merchant memory device associated with the merchant collection system; (Vogel: Page 5, [0047])  an approved scanning vendor with a scanning device  capable of communicating with a-the merchant memory to determine compliance by the merchant collection system with data security standards applicable to the bank card information, the scanning  device programmed to: scan the merchant memory device to identify a series of consecutive digits having a same ((Vogel: Page 1, [0005]), Vogel: Page 5, [0047]).
	 evaluate at least one digit of a subseries of consecutive digits within the series of consecutive digits to determine whether the subseries of consecutive digits corresponds to a known identifier of the sensitive data of interest(Vogel: Page 6, [0058]; the data is scanned for a substring of bytes that begins with a particular character ("4") and is followed by three decimal numbers, a hyphen, and so on) including:	 a comparison of a first value of a first digit of the subseries of consecutive digits to a group consisting of known values of first digits of a plurality of identifiers of the sensitive data of interest (Vogel: Page 6, [0058]);
if the first value of the first digit does not correspond to a first known value of a first digit of a bank identification number, terminating evaluation of the series of consecutive digits; if the value of the first digit matches a known value of first digits of the plurality of identifiers of the sensitive data of interest	 a comparison of a second value of a second digit of the subseries of consecutive digits to a group consisting of values of second digits known to correspond to the value of the first digit in a plurality of identifiers of the sensitive data of interest (Vogel: Page 6, [0058], the first comparison of number “4” is compared as an example); if the second value of the second digit matches a known value of second digits of the plurality of identifiers of the sensitive data of interest, and the second value of the second digit does not correspond to a second known value of a second digit of a bank identification number, terminating the evaluation of the consecutive digits: ) Vogel: Page 6, par [0058], “The particular form of each recognizable pattern used in searching the data will preferably depend on the type of sensitive data that the pattern indicates. As one examples, a recognizable pattern for a payment card number may take the form of a sequence of characters that begins with a "4" and is then followed by 3 numeric characters, a first dash, 4 numeric characters, a second dash, 4 numeric characters, a third dash, and 4 number characters (i.e., 4???-????-????-????).” Vogel recites comparing different types and beginning with a “4” being the first comparison and followed by 3 numeric characters, still compares the mentioned numbers.)
if the second value of the second digit matches a known value of second digits of the plurality of identifiers of the sensitive data of interest,  if the second value of the second digit does not correspond to a second known value of a second digit of a bank identification number, terminating the evaluation of the consecutive digits; Vogel: Page 6, par [0058], “The particular form of each recognizable pattern used in searching the data will preferably depend on the type of sensitive data that the pattern indicates. As one examples, a recognizable pattern for a payment card number may take the form of a sequence of characters that begins with a "4" and is then followed by 3 numeric characters, a first dash, 4 numeric characters, a second dash, 4 numeric characters, a third dash, and 4 number characters (i.e., 4???-????-????-????).” Vogel recites comparing different types and beginning with a “4” being the first comparison and followed by 3 numeric characters, still compares the mentioned numbers.)
and a comparison of a third value of a third digit of the subseries of consecutive digits to a group consisting of values of third digits known to correspond to the value of the second digit in at least one identifier of the sensitive data of interest (Vogel: Page 6, [0058]); and if the third value of the third digit does not correspond to a third known value of a third digit of a bank identification number, terminating evaluation of the consecutive digits: and if the third value of the third digit matches a known value of third digits of the plurality of identifiers of the sensitive data of interest   Vogel: Page 6, par [0058], “The particular form of each recognizable pattern used in searching the data will preferably depend on the type of sensitive data that the pattern indicates. As one examples, a recognizable pattern for a payment card number may take the form of a sequence of characters that begins with a "4" and is then followed by 3 numeric characters, a first dash, 4 numeric characters, a second dash, 4 numeric characters, a third dash, and 4 number characters (i.e., 4???-????-????-????).” Vogel recites comparing different types and beginning with a “4” being the first comparison and followed by 3 numeric characters, still compares the mentioned numbers.)	identify each series of consecutive digits that includes a subseries of consecutive digits with first, second, and third digits with values that correspond to values of at least one identifier of the sensitive data of interest as a suspected sensitive data string (Vogel: Page 6, [0059]; suspected sensitive data is identified). 
	Vogel does not explicitly disclose identifying a series of consecutive digits having a same length or a same range of lengths as a complete length or a complete range of lengths of sensitive data of interest, in which each digit of the series of consecutive digits is a decimal number (Vogel: Page 6, [0058]; a pattern for sensitive data may be provided including a string of decimal numbers. The data is character data (sequential bytes), see page 3, [0030]).
	Vogel disclose the comparison of number and Grzymala-Busse teaches that credit cards may be represented as a specific combination of numbers as follows: 
 (Grzymala-Busse: [0047]), and may be arranged in a variety of formats. One having ordinary skill in the art at the time of applicant's invention would have been motivated to combine Grzmala-Busse with Vogel to identify sensitive information even when represented in varying formats. Therefore, it would have been obvious to one having ordinary skill in the art at the time of applicant's invention to combine Grzmala-Busse with Vogel to arrive at the claimed invention.
As to claim 9, Vogel discloses the system of claim 4, wherein the plurality of identifiers of the sensitive data of interest comprises a plurality of bank identification numbers and the at least one identifier of the sensitive data of interest comprises at least one bank identification number (Vogel: Page 6, [0057]; sensitive data may be bank account data, including routing number and/or account number data). 

As to claim 11 and claim 13, Vogel discloses the system of claim 12, further comprising:  an administrator that commissions scanning of the memory device (Vogel: Page 5, [0047]; a user initiates the process). 

As to claim 12, Vogel discloses the system of claim 13, wherein the scanning device is also programmed to:  report the suspected sensitive data string to the administrator (Vogel: Page 4, [0039]-[0040]). 

As to claim 18 Vogel discloses the system of claim 25, further comprising:  an administrator that sets a data security standard and commissions scanning of the memory device to determine the merchant's compliance with the data security standard (Vogel: Page 5, [0047]). 

As to claim 19, Vogel discloses the system of claim 26, wherein the administrator comprises at least one of an acquirer and an issuer (Vogel: [0078]). 

As to claim 20, Vogel discloses the system of claim 26, further comprising: a compliance monitor that operates the scanning device when commissioned by the administrator (Vogel: Page 5, [0047]).

Allowable Subject Matter
9.	Claims 2, 3, 4, 13,14, 16, and 17 would be allowable if rewritten to overcome the double patenting rejection set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.


Conclusion
10.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
	Heim et al (US 2009/0083545) relates to SEARCH REPORTING APPARATUS, METHOD AND SYSTEM, specifically, one example of a Regular Expression is a pattern of data including sixteen digits that start with four specific digits, such as may represent credit card data. These patterns, by themselves, do not expose sensitive data and assist the DOBE in recognizing a string of data as potentially sensitive.
11.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

12.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANGELICA RUIZ whose telephone number is (571)270-3158. The examiner can normally be reached M-F 10:00 am to 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Pierre M Vital can be reached on (571) 272-4215. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ANGELICA RUIZ/Primary Examiner, Art Unit 2162                                                                                                                                                                                                        October 3, 2022