15346661 - (D) (P.T.A.B. Apr. 4, 2019)

Ex Parte Williams

Patent Trials and Appeals BoardApr 4, 2019

15346661 - (D) (P.T.A.B. Apr. 4, 2019)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 15/346,661 11/08/2016 22918 7590 04/08/2019 PERKINS COIE LLP - PAO General P.O. BOX 1247 SEATTLE, WA 98111-1247 FIRST NAMED INVENTOR Branden R. Williams UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 113647-8001.USOl 8660 EXAMINER HALE,TIMB ART UNIT PAPER NUMBER 3685 NOTIFICATION DATE DELIVERY MODE 04/08/2019 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): patentprocurement@perkinscoie.com PTOL-90A (Rev. 04/07) UNITED ST ATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte BRANDEN R. WILLIAMS Appeal2018-000799 Application 15/346,661 Technology Center 3600 Before TERRENCE W. McMILLIN, KARAL. SZPONDOWSKI, and SCOTT B. HOW ARD, Administrative Patent Judges. SZPONDOWSKI, Administrative Patent Judge. DECISION ON APPEAL Appellant appeals under 35 U.S.C. Â§ 134(a) from the Examiner's Final Rejection of claims 1-11, which constitute all of the claims pending in this application. We have jurisdiction under35 U.S.C. Â§6(b). We REVERSE. Appeal2018-000799 Application 15/346,661 STATEMENT OF THE CASE Appellant's invention is directed to "establishing and maintaining PCI DSS [Payment Card Industry Data Security Standard] compliant transaction flows for banking entities by leveraging non-EMV [Europay, MasterCard, and Visa] tokens." Spec. 1, 11. 15-18. Claim 1, reproduced below, is representative of the claimed subject matter: 1. A computer implemented method for establishing and maintaining Payment Card Industry Data Security Standard (PCI DSS) compliant transaction flows, comprising: a payment processor or network receiving an incoming primary account number (PAN) pursuant to a payment card transaction between a merchant and a banking customer; said payment processor or network generating a token by translating said PAN into a token, said translation producing a token value by replacing digits within a middle portion of the PAN with random values, said translation preserving a PAN value for four digits within a terminal portion of the PAN, wherein a one-to-one relationship is maintained between said PAN and said token, wherein any said token resolves to one and only one PAN, wherein said token uniquely and securely corresponds to said PAN for purposes of BIN processing and payment card identification; pursuant to generation of said token, said payment processor or network performing bank identification number (BIN) substitution on said PAN by replacing a BIN within said PAN with a different BIN; said payment processor or network sending said token to an issuer bank for processing of said transaction, wherein PAN data is not derivable by said issuer bank from said token, and wherein use of said token by said issuer bank for said transaction processing is PCI DSS compliant; and upon completion of said issuer bank processing said transaction with said token downstream, said payment processor 2 Appeal2018-000799 Application 15/346,661 or network translating said token back into a PAN for further processing of said transaction upstream. REJECTIONS Claims 1-11 stand rejected under 35 U.S.C. Â§ 101 as being directed to patent-ineligible subject matter. Final Act. 6. Claims 1-11 stand rejected under 35 U.S.C. Â§ 112, frrst paragraph, as failing to comply with the written description requirement. Final Act. 8. Claims 1-11 stand rejected under 35 U.S.C. Â§ 112, second paragraph, as failing to particularly point out and distinctly claim the subject matter regarded as the invention. Final Act. 9-10. Claims 1 and 4--7 stand rejected under 35 U.S.C. Â§ 103(a) as being unpatentable over Linehan (US 6,327,578 B 1; issued Dec. 4, 2001 ), Keresman, III et al. (US 2017 /0017959 Al; published Jan. 19, 2017) ("Keresman"), and Johnson (US 2016/0350746 Al; published Dec. 1, 2016). Final Act. 11. Claims 2, 3, 8, 10, and 11 stand rejected under 35 U.S.C. Â§ 103(a) as being unpatentable over Linehan, Keresman, Johnson, and Kumnick et al. (US 2015/0199689 Al; published July 16, 2015) ("Kumnick"). Final Act. 14. Claim 9 stands rejected under 35 U.S.C. Â§ 103(a) as being unpatentable over Linehan, Keresman, Johnson, and McCarthy (US 2015/0161596 Al; published June 11, 2015). Final Act. 16. 3 Appeal2018-000799 Application 15/346,661 ANALYSIS 35 USCÂ§ 101 Rejections An invention is patent-eligible if it claims a "new and useful process, machine, manufacture, or composition of matter." 3 5 U.S. C. Â§ 101. However, the Supreme Court has long interpreted 3 5 U.S. C. Â§ 101 to include implicit exceptions: "[l]aws of nature, natural phenomena, and abstract ideas" are not patentable. E.g.,AliceCorp. v. CLSBankint'l, 573 U.S. 208, 216 (2014). In determining whether a claim falls within an excluded category, we are guided by the Supreme Court's two-step framework, described in Mayo and Alice. Id. at217-18 (citing Mayo CollaborativeServs. v. Prometheus Labs., Inc., 566U.S. 66, 75-77 (2012)). Inaccordancewiththat framework, we frrst determine what concept the claim is "directed to." See Alice, 573 U.S. at 219 ("On their face, the claims before us are drawn to the concept of intermediated settlement, i.e., the use of a third party to mitigate settlement risk."); see also Bilski v. Kappas, 561 U.S. 593,611 (2010) ("Claims 1 and 4 in petitioners' application explain the basic concept of hedging, or protecting against risk."). Concepts determined to be abstract ideas, and, thus, patent-ineligible, include certain methods of organizing human activity, such as fundamental economic practices (Alice, 573 U.S. at2l9-20;Bilskiv. Kappas, 561 U.S. 593,611 (2010)); mathematical formulas (Parkerv. Flook, 437 U.S. 584, 594--95 (1978)); and mental processes (Gottschalkv. Benson, 409 U.S. 63, 69 (1972)). If the claim is "directed to" an abstract idea, we tum to the second step oftheAlice andMayo framework, where "we must examine the 4 Appeal2018-000799 Application 15/346,661 elements of the claim to determine whether it contains an 'inventive concept' sufficient to 'transform' the claimed abstract idea into a patent-eligible application." Alice, 573 U.S. at221 (internal citation omitted). "A claim that recites an abstract idea must include 'additional features' to ensure 'that the [claim] is more than a drafting effort designed to monopolize the [abstract idea]."' Id. (quoting Mayo, 566 U.S. at 77). "[M]erely requir[ing] generic computer implementation[] fail[ s] to transform that abstract idea into a patent-eligible invention." Id. The PTO recently published revised guidance on the application of Â§ 101. USPTO's January?, 2019 Memorandum,2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50 (Jan. 7, 2019) ("Memorandum"). Under that guidance, we first look to whether the claim recites: ( 1) any judicial exceptions, including certain groupings of abstract ideas (i.e., mathematical concepts, certain methods of organizing human activity such as a fundamental economic practice, or mental processes); and (2) additional elements that integrate the judicial exception into a practical application (see MANUAL OF p ATENT EXAMINING PROCEDURE (MPEP) Â§ 2106.05(a}-(c), (e}-(h) (9th Ed., Rev. 08.2017, Jan. 2018)). Only if a claim (1) recites a judicial exception and (2) does not integrate that exception into a practical application, do we then look to whether the claim: (3) adds a specific limitation beyond the judicial exception that is not "well-understood, routine, conventional" in the field (see MPEP Â§2106.05(d)); or 5 Appeal2018-000799 Application 15/346,661 ( 4) simply appends well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception. See Memorandum, 84 Fed. Reg. at 52-57. USP TO Memorandum, Step 2A Prong 1 Under the first step of the Alice/Mayo framework, the Examiner concludes the claimed invention is directed to payment processing that recites storing, gathering, and analyzing data, which the Examiner concludes is an abstract idea. Final Act. 6; see also Ans. 4. According to the Examiner, the claimed invention is directed to "obtaining and comparing of intangible data," which is "an idea of itself." Final Act. 6-7. Specifically, the Examiner concludes the "claims frrst obtain intangible data ('receiving an incoming primary account number (PAN); translating said PAN into a token; and sending said token to an issuer bank[']) and then compare the intangible data (e.g., processing said transaction with said token downstream)." Final Act. 7. Appellant argues the Examiner's characterization of the claims "discounts the scope and character of the invention" and oversimplifies and overgeneralizes the claims. App. Br. 5, 7. According to Appellant, the subject matter of the claims "does not describe a concept similar to those found by the courts to be abstract," such as a fundamental economic practice, certain methods of organizing human activity, an idea 'of itself,' or mathematical relationships or formulas. App. Br. 8. We are persuaded by Appellant's arguments. The Memorandum "extracts and synthesizes key concepts identified by the courts as abstract ideas to explain that the abstract idea exception includes the following 6 Appeal2018-000799 Application 15/346,661 groupings of subject matter, when recited as such in a claim limitation( s) ( that is, when recited on their own or per se )": (a) Mathematical concepts-mathematical relationships, mathematical formulas or equations, mathematical calculations; (b) Certain methods of organizing human activity- fundamental economic principles or practices (including hedging, insurance, mitigating risk); commercial or legal interactions (including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations); managing personal behavior or relationships or interactions between people (including social activities, teaching, and following rules or instructions); and ( c) Mental processes----concepts performed in the human mind (including an observation, evaluation, judgment, opinion). Memorandum, 84 Fed. Reg. at 52 (footnotes omitted). The Examiner's conclusion that claimed invention recites storing, gathering, and analyzing data, or otherwise obtaining and comparing data, does not sufficiently identify how the claimed invention recites an abstract idea under the guidelines established in the Memorandum. See Memorandum, 84 Fed. Reg. at 52. Even assuming the "idea of itself' identified by the Examiner encompasses a mental process, the Examiner has not sufficiently explained, nor is it readily apparent, how the claims recite a mental process. Accordingly, we fmd the Examiner has not sufficiently established that the claims recite an abstract idea. USP TO Memorandum, Step 2A Prong 2 However, even ifwe agreed that the claims recite an abstract idea, such as a mental process, we determine the claims recite additional elements that integrate the judicial exception into a practical application. See Memorandum, 84 Fed. Reg. at 54--55. 7 Appeal2018-000799 Application 15/346,661 Appellant contends the claimed invention is directed to "establishing and maintaining Payment Card Industry Data Security Standard (PCI DSS) compliant transaction flows," which "are necessarily within a computer system," and "the invention is an improvement in data processing itself' because the claimed invention "improves the operation of the computer system and network that processes these data flows by improving the security and integrity of these systems." App. Br. 5 (citing Enfish, LLCv. Microsoft Corp., 822 F.3d 1327 (Fed. Cir. 2016)). Specifically, Appellant argues the "claimed invention comprises specific system elements that process and transform data to effect improvements in security and integrity for transaction processing," which focuses "on improvements to computer technology and the processing capabilities of computing devices, not an abstract concept for which a computer is used in its ordinary capacity," such as the "payment processor that generates a token from PAN information in a way that maintains a one-to-one relationship between the PAN and the token, while security the PAN data during downstream transaction processing such the PAN data is not derivable downstream, thus assuring PCI DSS compliance." App. Br. 6-7. According to Appellant, the claimed invention is focused "on improvements to the capabilities of transaction processing computer systems, rather than an abstract concept for which a computer is used in its ordinary capacity." App. Br. 8; see Reply Br. 5. On the current record, we are persuaded claim 1 recites additional elements that integrate the judicial exception into a practical application. Appellant explains that the PCI DSS was "created to increase controls around cardholder data to reduce credit card fraud" and "specifies twelve 8 Appeal2018-000799 Application 15/346,661 requirements for compliance." Spec. 1-2. Appellant describes that in the prior art flow of data from a merchant to an acquiring bank or processor and issuer processor, and then from the issuer processor to an issuing bank, the issuing bank is exposed to risk. Spec. 1, Fig. 1. Appellant explains that tokens are used to replace live data in order to minimize exposure to sensitive data, and to reduce the risk of compromise or accidental exposure and unauthorized access to sensitive data. Spec. 7. According to Appellant, although the use of an EMV card as a token exists between the merchant and the customer, the token does nothing to provide security within the realm of the payment processor, issuer processor, and issuing bank at the back end of the processing system. Spec. 8. Appellant's invention seeks to solve this problem by translating the incoming PAN into a token before sending it downstream for further processing. Spec. 8. In this way, the issuer processor and the issuing bank only have tokens and only tokens flow at the back end of the processing, thereby reducing risk and making the issuing bank PCI compliant by removing all PAN data from the banking systems. Spec. 8, Fig. 2A, 2B. Claim 1 recites "receiving an incoming primary account number (PAN) pursuant to a payment card transaction between a merchant and a banking customer," "generating a token by translating said PAN into a token," "performing bank identification number (BIN) substitution on said PAN by replacing a BIN within said PAN with a different BIN," "sending said token to an issuer bank for processing of said transaction," and "translating said token back into a PAN for further processing of said transaction upstream." Claim 1 also recites additional elements of: (a) "a payment processor or network"; 9 Appeal2018-000799 Application 15/346,661 (b) "said translation producing a token value by replacing digits within a middle portion of the PAN with random values, said translation preserving a PAN value for four digits within a terminal portion of the PAN, wherein a one-to-one relationship is maintained between said PAN and said token, wherein any said token resolves to one and only one PAN, wherein said token uniquely and securely corresponds to said PAN for purposes of BIN processing and payment card identification"; and (a) "wherein PAN data is not derivable by said issuer bank from said token, and wherein use of said token by said issuer bank for said transaction processing is PCI DSS compliant" Like the claims in DDR, claim 1 "do[ es] not merely recite the performance of some business practice known from the pre-Internet world along with the requirement to perform it on the Internet." DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1257 (Fed. Cir. 2014). "Instead, the claimed solution is necessarily rooted in computer technology in order to overcome a problem specifically arising in the realm of computer networks." Id. Indeed, the PCI DDS directly pertains to data security on computer networks. Likewise, Appellant's claims are concerned with transaction processing on computer networks and address a problem specifically arising in the realm of computer networks. The claims, in light of the Specification, are directed to solving a problem related to computer technology for improving the security of "transaction processing computer systems," for which there is no pre-Internet analogy. App. Br. 8; see Reply Br. 5. We, therefore, fmd the claimed additional elements integrate the abstract idea into a practical application. Accordingly, we do not sustain the Examiner's Â§ 101 rejection of claims 1-11. 10 Appeal2018-000799 Application 15/346,661 Section 112 Rejections 35 US. C. Â§ 112, First Paragraph, Rejection The Examiner fmds the claim language "use of said token by said issuer bank for said transaction processing is PCI DSS compliant" fails to comply with the written description requirement. Final Act. 8-9; Ans. 12- 13. Specifically, the Examiner fmds the defmition of PCI DSS compliance "as defmed by Appellant's Specification" only "describes translation of P A[N] to and from a token, but does not describe how the data complies with the requirements" of PCI DSS compliance, and thereby does not explain how "use of said token by said issuer bank for said transaction processing is PCI DSS compliant." Final Act. 8-9; see Ans. 12-13. The Examiner states, "Appellant need not merely show that PCI DSS compliance is well-known in the industry," but rather "Appellant must show how the use of the token by the issuer bank is PCI DSS compliant." Ans. 13. Appellant contends "it is clear to any reasonable skilled person what is required for [PCI DSS] compliance, that is perform transaction processing in accordance with the standard," which is "publicly available and any skilled person can read the standard to understand what is meant by PCI DSS compliance as taught and claimed in the subject patent application." App. Br. 12-13. According to Appellant, the "Examiner has presented no arguments as to why the well-known technique of performing a PCI DSS compliant transaction would not be understood from the subject application and claims." App. Br. 13. We are persuaded by Appellant's arguments. To satisfy the written description requirement, a patent specification must describe the claimed invention in sufficient detail that one skilled in the art can reasonably 11 Appeal2018-000799 Application 15/346,661 conclude that the inventor had possession of the claimed invention. See, e.g., Moba, B. V v. Diamond Auto., Inc., 325 F.3d 1306, 1319 (Fed. Cir. 2003); Vas-Cath, Inc. v. Mahurkar, 935 F.2d 1555, 1563 (Fed. Cir. 1991). "[T]he test requires an objective inquiry into the four comers of the specification from the perspective of a person of ordinary skill in the art," where "the specification must describe an invention understandable to that skilled artisan and show that the inventor actually invented the invention claimed." Ari ad Pharms., Inc. v. Eli Lilly & Co., 598 F.3d 1336, 1351 (Fed. Cir. 2010) ( en bane). The exact level of detail required depends upon "the nature and scope of the claims and on the complexity and predictability of the relevant technology." Id. Factors for "evaluating the adequacy of the disclosure" may include '"the existing knowledge in the particular field, the extent and content of the prior art, the maturity of the science or technology, [and] the predictability of the aspect at issue.'" Id. (quoting Capon v. Eshhar, 418 F.3d 1349, 1359 (Fed. Cir. 2005)). The Specification describes The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes . . . . The standard was created to increase controls around cardholder data to reduce credit card fraud . . . . The PCI Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called control objectives. Spec. 1, 1. 24--2, 1. 5. The PCI DSS Requirements include "Protect cardholder data" as a "Control objective[]." Spec. 2, Table 1. We find the Specification's description of PCI DSS and the requirements for PCI DSS compliance sufficiently show Appellant had 12 Appeal2018-000799 Application 15/346,661 possession of performing transaction processing in accordance with the standard. Accordingly, we reverse the Examiner's 35 U.S.C. Â§ 112, frrst paragraph, rejection of claims 1-8. 3 5 US. C. Â§ 112, Second Paragraph, Rejection The Examiner finds the claimed "BIN processing" is indefinite. Final Act. 10; Ans. 14--15. Specifically, the Examiner finds the claimed "BIN processing" is a "relative term which renders the claim indefinite" as it is "not defmed by the claim" and "the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention." Final Act. 10. According to the Examiner, "the specification merely recites that the tokens are constructed to preserve BIN processing without defming the term BIN processing." Ans. 14--15. According to the Examiner, the claims are indefmite because "it is unclear if the BIN substitution occurs frrst during the generating the token step, in the performing bank identification step, or in both." Ans. 15. Appellant contends "BIN processing is a well-known term in the transaction processing industry." App. Br. 14. Appellant argues the claimed "pursuant to generation of said token, said payment processor or network performing bank identification number (BIN) substitution on said PAN by replacing a BIN within said PAN with a different BIN" shows that "BIN substitution is performed on the PAN by replacing a BIN with the PAN with a different BIN pursuant to generation o{the token[,]" which is "not vague, ambiguous, indefmite, or unclear." Reply Br. 8 ( emphasis added). 13 Appeal2018-000799 Application 15/346,661 We are persuaded by Appellant's arguments. "A claim is indefmite if, when read in light of the specification, it does not reasonably apprise those skilled in the art of the scope of the invention." Amgen, Inc. v. Hoechst Marion Roussel, Inc., 314 F.3d 1313, 1342 (Fed. Cir. 2003). "As the statutory language of 'particular[ ity]' and 'distinct[ ness]' indicates, claims are required to be cast in clear - as opposed to ambiguous, vague, indefmite - terms. It is the claims that notify the public of what is within the protections of the patent, and what is not." In re Packard, 751 F.3d 1307, 1313 (Fed. Cir. 2014). Appellant's Specification describes "BIN processing andP AN data flows in a transaction processing system." Spec. 8, 11. 14--15; see Figs. 2A, 2B. The Specification details "BIN substitution 22, e.g. a different BIN is used for the token," which allows "visual and programmatic identification of the payment number as a token and preserves the BIN for additional processing," and allows "the issuing bank to know if the number they are handling is a PAN or a token, while preserving the remainder of the BIN for further processing." Spec. 9, 11. 7-9, 28-30. In light of this disclosure in the Specification, the Examiner does not sufficiently explain why the claimed "BIN processing" is indefmite. Applying the standard set forth in Amgen and Packard, we agree with Appellant that the claim, based on the claim language (i.e., "said token uniquely and securely corresponds to said PAN for purposes of BIN processing and payment card identification") and in light of Appellant's Specification (i.e., BIN processing in a transaction processing system, including BIN substitution to preserve the remainder of the BIN for 14 Appeal2018-000799 Application 15/346,661 additional processing), is sufficiently clear. See App. Br. 14; Reply Br. 8; Spec. 8, 11. 14--15; Spec. 9, 11. 7-9, 28-30. Accordingly, we reverse the Examiner's rejection of claims 1-11 under 35 U.S.C. Â§ 112, second paragraph. 35 USCÂ§ 103(a)Rejections Issue: Did the Examiner err in fmding that the combination of Linehan, Keresman, and Johnson teaches "said payment processor or network sending said token to an issuer bank for processing of said transaction" as recited in claim 1? The Examiner fmds Linehan is directed to "the exact same concept" as the claimed invention, and teaches "electronic commerce ... utilizing a merchant, consumer, plurality of gateways, a issuing bank and acquiring bank" that is "implemented by utilization of a token, where said token is used to facilitate and settle a transaction" which is a "procedure occurring at an issuer bank" and the "tokens are used in conjunction with a card number or an alias of the card number." Ans. 16; see Final Act. 12 (citing Linehan Fig. 2A, col. 5, 1. 50----col. 7, 1. 2, col. 10, 1. 44--col. 11, 1. 9). According to the Examiner, "Linehan teaches a merchant providing the issuer bank a token through the entities that facilitate processing of the payment over a network as shown in Fig. 2A in order to prove that the issuer authorized the payment." Ans. 17. Appellant contends "Linehan concerns a four-party protocol that allows a purchaser to transact directly with the card issuer," which is "not relevant to the architecture of the claimed invention, where the invention concerns transactions performed by the issuer bank." App. Br. 15. 15 Appeal2018-000799 Application 15/346,661 Specifically, Appellant argues"[ n Jone of the asserted actions of Linehan occur between a payment processor and an issuer bank and none of the claimed actions occur between Linehan's merchants and issuers." App. Br. 1 7. According to Appellants "Linehan concerns the generation of an authorization token at the issuing gateway for use by the consumer and merchant." Reply Br. 10-11 ( citing Linehan col. 6, 11. 23--42). Appellant argues that "while Linehan creates an authorization token that includes cardholder information ... that is used by the consumer and merchant to prove authorization of a transaction, the claimed invention creates a token that is exclusively used by the issuer bank, that does not include cardholder information ("wherein PAN data is not derivable by said issuer bank from said token"), and that is not used by the cardholder or merchant." Reply Br. 11. We are persuaded by Appellant's arguments. Claim 1 requires the claimed token be sent from the payment processor or network "to an issuer bank for processing of said transaction." Specifically, the claimed "payment processor or network" "receiv[ es] an incoming primary account number (PAN)" and "generat[es] a token by translating said PAN into a token," "perform[ s] bank identification number (BIN) substitution on said PAN," "send[ s] said token to an issuer bank for processing of said transaction," and "translat[ es] said token back into a PAN for further processing of said transaction upstream." See claim 1. In other words, the claimed "payment process or network" performs PAN/token translation, generates the token, and sends the token to the issuer bank. The sections of Linehan cited by the Examiner (see Final Act. 12) teach 16 Appeal2018-000799 Application 15/346,661 the issuer gateway 214 then pre-authorizes payment by sending over the internet network an authorization token 254 over path 226, an issuer's digital certificate, the wallet initiation message, and a reference number or value 252' representing the consumer's credit or debit card number . . . . The issuing bank pairs the consumer's card number 250 with a selected reference number 252 and outputs the reference number over path 226' to the issuer gateway 214. The issuer gateway then includes the reference number 252' with the authorization token 254. The authorization token 254 includes ... the reference number 252' to the consumer's credit or debit card number. The issuer gateway 214 signs the authorization token 254 on behalf of the issuing bank 212. Linehan col. 6, 11. 15-33 ( emphasis added). Linehan further teaches "the issuer gateway includes a 'reference' to the consumers card number in the authorization token," which can be composed as "an 'alias card number,' meaning a secondary account number that is mapped at the issuing bank to the real card number" or as "an authorization number allocated uniquely by the issuer gateway" for which the "issuing bank maintains a database mapping authorization numbers to card number." Linehan col. 11, 11. 45---67. In other words, contrary to the claimed "payment process or network" (i.e., issuer gateway) generating a token and "sending said token to an issuer bank for processing of said transaction," Linehan teaches the issuer bank generating an authorization token with a reference number (i.e., a token) and sending it to the issuer gateway, and the issuer gateway sending the token to the merchant or consumer. Furthermore, Linehan's token references the consumer's credit card number (i.e., personal account number (PAN)) and does not teach "wherein PAN data is not derivable by said issuer bank from said token." Linehan' s token that references PAN and that is generated by the issuer bank would not prohibit the PAN data from being derivable by the 17 Appeal2018-000799 Application 15/346,661 issuer bank. Therefore, we fmd the Examiner has not provided sufficient fmdings that Linehan teaches the claimed "said payment processor or network sending said token to an issuer bank for processing of said transaction, wherein PAN data is not derivable by said issuer bank from said token." Accordingly, we do not sustain the Examiner'sÂ§ 103(a) rejection of independent claim 1, and dependent claims 4--7, not separately argued. Moreover, because the Examiner has not shown that the additional references cure the foregoing deficiency regarding the rejection of the independent claim, we do not sustain the obviousness rejections of dependent claims 2, 3, and 8-11, not separately argued. DECISION We reverse the Examiner's rejection of claims 1-11 under 35 U.S.C. Â§ 101. We reverse the Examiner's rejection of claims 1-11 under 35 U.S.C. Â§ 112, frrst paragraph. We reverse the Examiner's rejection of claims 1-11 under 35 U.S.C. Â§ 112, second paragraph. WereversetheExaminer'srejections of claims 1-11 under35 U.S.C. Â§ 103. REVERSED 18