DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on August 24, 2022 has been entered.
 
Acknowledgment
Applicant’s amendment filed on August 24, 2022 is acknowledged. Accordingly claims 1-4, 6-14 and 16-22 remain pending and have been examined.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6-14 and 16-22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharma et al (hereinafter “Sharma”) U.S. Patent Application Publication No. 2020/0097956 A1 in view of West U.S. Patent Application Publication No. 2011/0087560 A1 and further in view of Putre et al (hereinafter “Putre”) U.S. Patent Application Publication No. 2018/0349891 A1.

As per claims 1, 12 and 20, Sharma discloses a system for securing electronic payments, the system comprising: 
One or more servers comprising:
one or more processors (see fig. 1); and
a memory storing computer code instructions, the computer code instructions, when executed by the one or more processors, cause the one or more computer servers to:
provide a session identifier (ID) and a URL of an iFrame to an electronic commerce (e-commerce) host server for forwarding to a computing device responsive to the computing device initiating an e-commerce transaction on an information resource, the URL specific to a payment session identified by the session ID (see fig. 3A and associated text; 0023, which discloses that “In step 2 in FIG. 2, the partner embeds the iFrame URL in their web UI (e.g., checkout webpage) along with reference to an iFrame.js program provided by the payment service provider.”);
receive a request for the iFrame from the computing device responsive to the e-commerce host server forwarding the URL and the session ID to the computing device, the request for the iFrame including the URL of the iframe and the  first instance of the session ID (see fig. 3A which discloses that “getiframeurl (CSS URL or CSS ID.”);
provide, upon validating the first instance of the session ID, the iFrame to the computing device for embedding within the payment page provided by the commerce host server to the computing device (see fig. 3A, which discloses payment service provider providing iframe url and 1 time use token to partner step 312; 0021, which discloses that “As described more fully below, in one embodiment the partner embeds an iFrame generated by the payment service provider into the partner's webpage. To users, the payment page, which is rendered by the payment service provider and embedded into the partner's website via the iFrame, appears seamlessly integrated into the partner's website.”); 
the iframe and the payment page hosted by different domains and the iFrame configured to receive user payment data and transmit the user payment data to the system without the payment page and a domain of the payment page having access to the user payment data and 
the iFrame including payment instructions, which when executed by the computing device cause the computing device to:
	display a user interface for input of user payment data;
encrypt the user payment data when input via the user interface; and 
send the encrypted user payment data to the one or more processors;
receive the user payment data and a second instance of the session ID from the iFrame (see fig. 3A which shows receiving iframe URl and 1 time use token step 312; 0024, which discloses that “At step 3 in FIG. 2, after a user completes a transaction and submits the payment form including the customer's sensitive information at the partner's web UI, the iFrame.js module captures the sensitive payment information from the user's submission as well as the onetime use token.”;);
provide, upon validating the second instance of the session ID, a one-time token (OTT) to the computing device for use to initiate payment pre-authorization, the OTT associated with the session ID and indicative of the user payment data (0009, which discloses that “validating at the PSP server the onetime use token.”);
What Sharma does not explicitly teach is:
the iframe and the payment page hosted by different domains and the iFrame configured to receive user payment data and transmit the user payment data to the system without the payment page and a domain of the payment page having access to the user payment data and 
the iFrame including payment instructions, which when executed by the computing device cause the computing device to:
display a user interface for input of user payment data;
encrypt the user payment data when input via the user interface; and 
send the encrypted user payment data to the one or more processors;
West discloses the system comprising:
the iframe and the payment page hosted by different domains and the iFrame configured to receive user payment data and transmit the user payment data to the system without the payment page and a domain of the payment page having access to the user payment data (0014, which discloses that “HTML document 202 appears as an inline frame on merchant web page 201 as a result of an iframe tag embedded in the HTML code that implements merchant web page 201. When setting up the inline frame, merchant server 102 sends to payment processing server 103 an application programming interface (API) name and an API key. This allows payment processing server 103 to recognize the merchant and display HTML document 202 which is customized for the merchant.”);
the iFrame including payment instructions, which when executed by the computing device cause the computing device to:
display a user interface for input of user payment data (see fig. 5, which discloses embedded inline frame from the payment processing server 103 to merchant server 102);
Putre discloses the system comprising:
the iFrame including payment instructions, which when executed by the computing device cause the computing device to:
display a user interface for input of user payment data (see fig. 6, which discloses “display iFrame-based payment page” 601; 0028, which discloses that “This payment page, in various embodiments, will display an iFrame, or an embedded HTML document, (produced by the iFrame system 300) that permits the customer 102 to enter payment data directly into the iFrame system 300 via the merchant's website 602.”);
encrypt the user payment data when input via the user interface (0008, which discloses that “ In various embodiments, after payment data is received via the iFrame, the iFrame system generates an eToken (e.g., an encrypted identifier used by the iFrame system and payee to identify the provided payment data) corresponding to the payment data and provides it back to the payee”; 0023; 0028); and 
send the encrypted user payment data to the one or more processors (0028, which discloses that “That payment data will generally be provided directly, by the iFrame on the merchant website 602, to an iFrame controller 400 of the iFrame system 300 for generation of an eToken. In various embodiments, the eToken includes an encrypted identifier used by the iFrame system 300 and merchant website 602 to identify the provided payment data.”);
Accordingly it would have been obvious to one of ordinary skill in the art at time of applicant’s invention to modify the system of Sharma and incorporate a system further comprising: the iFrame including payment instructions, which when executed by the computing device cause the computing device to: display a user interface for input of user payment data; encrypt the user payment data when input via the user interface; and send the encrypted user payment data to the one or more processors in view of the teachings of West and/or Putre in order to enhance or promote security of the transaction.

As per claims 2 and 13, Sharma further discloses the system, wherein the URL is valid for a single payment session such that the URL expires after being used once to request the Iframe (0009, one time use token).

As per claim 3, Sharma further discloses the system, wherein the request for the iFrame includes an instance of the URL appended with the first instance of the session ID (0009; 0022).

As per claims 4 and 14, Sharma further discloses the system, wherein the computer code instructions, when executed by the one or more processors, further cause the system to:
maintain a data structure associating the URL with the session ID (0009; 0022); and 
validate the first instance of the session ID by determining that the first instance of the session ID is equal to the session ID associated with the URL in the data structure (0009; 0022).

As per claim 6, Sharma further discloses the system, wherein the computer code instructions, when executed by the one or more processors, cause the one or more computer servers to provide the session ID and the URL of the iFrame to the e-commerce host server via a secure communication link between the system and the e-commerce host server (0009; 0022).

As per claim 7, Sharma further discloses the system, wherein the computer code instructions, when executed by the one or more processors, further cause the one or more computer servers to generate the OTT (0009; 0022).

As per claims 8 and 16, Sharma further discloses the system, wherein the OTT expires after a predefined time period (0024).

As per claims 9 and 17, Sharma further discloses the system, wherein the predefined period is less than or equal to 15 minutes (0024).

As per claim 10, Sharma further discloses the system, wherein the computer code instructions when executed by the one or more processors further cause the one or more computer servers to maintain a data structure associating the OTT with the session ID (0009; 0022).

As per claim 11 and 19, Sharma further discloses the system, wherein in validating the instance of the OTT the computer code instructions, when executed by the one or more processors, cause the one or more computer servers to:
check that the instance of the OTT matches the OTT in the data structure and that the OTT in the data structure did not expire (0009; 0022);
check that the session ID in the data structure is valid (0009; 0022); and
determine validity of the OTT upon determining that the OTT in the data structure did not expire and that the session ID in the data structure is valid (0009; 0022).

As per claim 18, Sharma further discloses the method, further comprising maintaining a data structure associating the OTT with the session ID (0009; 0022).

As per claim 21, Sharma further discloses the system, wherein the computer code instructions, when executed by the one or more processors, further cause the system to:
authenticate one or more requests received from the computing device or the e-commerce host server (0022).

As per claim 22, Sharma further discloses the system, wherein the computer code instructions, when executed by the one or more processors, further cause the system to:
authenticate the one or more requests based on determining that there is a match between an identifier received in the one or more requests and a corresponding identifier maintained by the one or more computer servers (0022).

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Charles C. Agwumezie whose number is (571) 272-6838. The examiner can normally be reached on Monday – Friday 8:00 am – 5:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Hayes can be reached on (571) 272 – 6708.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHINEDU C AGWUMEZIE/Primary Examiner, Art Unit 3685                                                                                                                                                                                                        October 18, 2022