METHOD FOR ENROLLING A PUBLIC KEY ON A SERVER

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED CORRESPONDENCE Acknowledgements The Amendment of claims 1, 6-8, filed on 12/11/2025 is acknowledged and hereby considered. Claims 1-15 are pending and are hereby examined. Examiner’s Response to Amendment/Remarks Claim Objections The amendment to the claims has resolved the objection raised in the Office Action mailed out on 09/24/2025. 35 USC § 103 The Applicant’s amendment and remarks filed on 12/11/2025 are hereby acknowledged. The arguments are primarily on the primary prior art, Wilson, which Examiner had disclosed in page 6 of the Office Action mailed out on 09/24/2025 “Although Wilson teaches financial transactions in an electronic environment, for credit card purchases, but does not explicitly teach a POS terminal”. For the purpose of clarity of this Final Office Action, Examiner is making Savolainen the primary prior art, in view of Wilson, as disclosed below rendering Applicant’s arguments moot. As regards Applicant’s final argument for claim 6 at page 9-10 of the response, Examiner has added additional supporting disclosure in Wilson to teach this amended limitation of “wherein a Uniform Resource Locator is assigned by the remote server to both the trusted data and the service provided by the remote server, wherein remotely accessing the service at said Uniform Resource Locator is subject to user authentication after enrolling the public key of the payment card in the remote server, and wherein the user uses the private key stored in the payment card, uniquely associated to said public key, to perform this authentication. Therefore, the 103 rejection is hereby maintained. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 3 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-2, 6-8 , 10 and 12-15 are rejected under 35 U.S.C. 103 as being unpatentable over Savolainen et al., (US 20140289129 A1) in view of Stephen Wilson (WO 2009126994 A1). With respect to claims 1 and 7, Savolainen teaches a method for enrolling a public key of a payment card in a remote server, said payment card embedding a private key and a certificate comprising the public key {see at least Abstract “…method includes transmitting the encrypted payment data and signature to the payment card for decryption of the payment data and signature using a payment card private key corresponding to the payment card public key certificate”}, wherein the method comprises the steps: operating a payment transaction involving a Point of Sale (POS) terminal and the payment card by performing an off-line data authentication during which the POS terminal receives from the payment card the certificate and verifies the genuineness of said certificate, the POS terminal being locally coupled to the payment card {see at least Fig. 2 ¶ 0009 “…a method of securely communicating between a Point-of-Sale (PoS) terminal and a payment card is provided [locally coupled]. The method includes signing, at the payment card, payment data with a private key of the payment card to create a signature. The method also includes encrypting the payment data and the signature at the payment card using a public key certificate of the PoS terminal. The PoS terminal public key certificate is encrypted and signed by a certificate authority using a private key of the certificate authority and is received at the payment card from the PoS terminal card after a public key certificate of the payment card is received from the payment card and validated at the PoS terminal. The PoS terminal public key certificate is encrypted and signed by a certificate authority using a private key of the certificate authority and is received at the payment card from the PoS terminal card after a public key certificate of the payment card is received from the payment card and validated [verifies the genuineness of said certificate] at the PoS terminal…”, and also ¶¶ 0010-0011}. receiving by the POS terminal, from the payment card, a card identifier [a non-predictable or a random number] which has been permanently allocated to the payment card {see at least ¶¶ 0023-0025 “The payment card will then send its own Public Key certificate (P.sub.IC) encrypted and signed by the CA using a Private Key (S.sub.CA), to the PoS terminal together with the non predictable or random number which is signs and encrypts using the card's own Private Key (S.sub.IC)”}. only if the genuineness of the certificate has been successfully verified by the POS terminal, forming by the POS terminal a trusted data by uniquely binding said card identifier and public key during said payment transaction, said trusted data comprising said card identifier and public key {see at least ¶¶ 0023-0026 “The PoS terminal will use the CA's Public Key (P.sub.CA) to decrypt and validate the data received from the payment card. The PoS terminal can decrypt the non-predictable number using the Cards Public Key (P.sub.IC) it has received for validating the integrity of the communication and data received”, and also ¶¶ 0027-0028 “While the secure key exchange has been shown and described as a transaction from the PoS terminal to the payment card, one of ordinary skill in the art would recognize that the secure key exchange can also be effected with the payment card as the transmitting party and the PoS terminal as the receiving party”, ¶ 0029 “The secure transaction may consist of one or several messages sent between the parties. The secure messaging can be either one directional or bi-directional. The principle of securing the information is using PKI method. In other words, the sending party will first sign the content with its own private key and then encrypt the content and the signature with the receiving party's public key. This ensure the content remains confidential and that only the recipient with its private key corresponding to the public key which was used to encrypt the data can decrypt it. Furthermore, the recipient can use the public key of the sender to verify that the message has not been altered after the sender signed it. This method is well known to a person skilled in the art”, ¶ 0030 “One of ordinary skill in the art would recognize that the secure transaction can be effected with the payment card as the transmitting party and the PoS terminal as the receiving party or the PoS terminal as the transmitting party and the payment card as the receiving party”}. Savolainen does not explicitly disclose: sending the trusted data from the POS terminal to the remote server; and enrolling the public key by storing the trusted data in a memory of the remote server for subsequent access to a service whose access is secured by an authentication based on the public key associated with the payment card. However, Wilson discloses sending the trusted data from the […] terminal to the remote server{page 11 lines 9-16 “…the user's response to the e-commerce form 212 causes a Private Key securely stored in the tamper resistant storage of the smartcard 224 to sign transaction details and convey [e.g. sending] the signed details 240 and the Public Key Certificate 290 stored on the card 224 back to the merchant server 210…”}, and enrolling the public key by storing the trusted data in a memory of the remote server {see at least page 13 line 7-11 “...to evince possession of the payment card in question, the transaction involves signing authenticating data using the Private Key associated with the Public Key Certificate, and sending the signature code together with the Public Key Certificate to the merchant server”, and also {page 11 lines 9-16 “…the user's response to the e-commerce form 212 causes a Private Key securely stored in the tamper resistant storage of the smartcard 224 to sign transaction details and convey the signed details 240 and the Public Key Certificate 290 stored on the card 224 back to the merchant server 210…”}. Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, to modify Savolainen to include the elements of Wilson. One would have been motivated to do so, in order to have a secured communication of payment card data from a terminal machine to a payment server. Furthermore, Savolainen discloses having a secured payment card data communication with a POS terminal to avoid hacking of card data. Wilson is merely relied upon to illustrate the functionality of having a secured communication of payment card data from a terminal machine to a payment server, in the same or similar context. Because both having a secured payment card data communication with a POS terminal to avoid hacking of card data, as well as having a secured communication of payment card data from a terminal machine to a payment server, are implemented through well-known computer technologies in the same or similar context, would be reasonable, according to one of ordinary skill in the art. Moreover, since the elements disclosed by Savolainen in view Wilson, would function in the same manner in combination as they do in their separate embodiments, it would be reasonable to conclude that their resulting combination would be predictable. Accordingly, the claimed subject matter is obvious over Savolainen/Wilson. With respect to claims 2 and 12-14, the combination of Savolainen in view of Wilson discloses all the subject matter on claims 1 and 8 above, respectfully. Furthermore, Wilson discloses wherein the payment card is a physical card and the card identifier is a Primary Account Number or wherein the payment card is a digital card hosted in a terminal equipment and the card identifier is a Token or wherein the payment card is either a physical card or a digital card hosted in a terminal equipment and the card identifier is a Payment Account Reference {see at least page 10 lines 11-18 “…The financial institution 110 issues to a payment card holder 101 listed in the database 112 a payment card 150. In this embodiment the payment card 150 comprises a smartcard including a processor chip 155 having secure tamper resistant storage and cryptographic processing capability. During the process of personalising and issuing the payment card 150, the processor chip 155 generates a Public Key - Private Key pair. A Public Key Certificate 120 corresponding to said Public Key - Private Key pair is created and signed by a Certification Authority 114 operated by the financial institution…”}. Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, to modify Savolainen to include the elements of Wilson. One would have been motivated to do so, in order to have a secured communication of payment card data from a terminal machine to a payment server. Furthermore, Savolainen discloses having a secured payment card data communication with a POS terminal to avoid hacking of card data. Wilson is merely relied upon to illustrate the functionality of having a secured communication of payment card data from a terminal machine to a payment server, in the same or similar context. Because both having a secured payment card data communication with a POS terminal to avoid hacking of card data, as well as having a secured communication of payment card data from a terminal machine to a payment server, are implemented through well-known computer technologies in the same or similar context, would be reasonable, according to one of ordinary skill in the art. Moreover, since the elements disclosed by Savolainen in view Wilson, would function in the same manner in combination as they do in their separate embodiments, it would be reasonable to conclude that their resulting combination would be predictable. Accordingly, the claimed subject matter is obvious over Savolainen/Wilson. With respect to claim 6, the combination of Savolainen in view of Wilson discloses all the subject matter on claim 1 above. Furthermore, Wilson discloses wherein a Uniform Resource Locator is assigned by the remote server to both the trusted data and the service provided by the remote server, wherein remotely accessing the service at said Uniform Resource Locator is subject to user authentication after enrolling the public key of the payment card in the remote server, and wherein the user uses the private key stored in the payment card, uniquely associated to said public key, to perform this authentication {see at least page 13 line 7-11 “...to evince possession of the payment card in question, the transaction involves signing authenticating data using the Private Key associated with the Public Key Certificate, and sending the signature code together with the Public Key Certificate to the merchant server”, and also {page 11 lines 9-16 “…the user's response to the e-commerce form 212 causes a Private Key securely stored in the tamper resistant storage of the smartcard 224 to sign transaction details and convey the signed details 240 and the Public Key Certificate 290 stored on the card 224 back to the merchant server 210…” also page16 lines 29-page 17 line 2 “…The merchant must determine the online location of the card issuer server 330, because the authentication of the card holder under the online CNP payment scheme is carried out by the card issuer before the merchant ultimately accepts of rejects the order. The merchant server 312 refers at step 325 to an online directory 340 to look up the address of the card issuer server 330. Said address may be a Universal Resource Locator (URL), or an Internet Protocol (IP) address, or any other suitable address depending on the detailed design of the payments system. The directory 340 may be operated by the payment card scheme independent of both the card issuer 330 and the merchant's acquiring bank 342”}. Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, to modify Savolainen to include the elements of Wilson. One would have been motivated to do so, in order to have a secured communication of payment card data from a terminal machine to a payment server. Furthermore, Savolainen discloses having a secured payment card data communication with a POS terminal to avoid hacking of card data. Wilson is merely relied upon to illustrate the functionality of having a secured communication of payment card data from a terminal machine to a payment server, in the same or similar context. Because both having a secured payment card data communication with a POS terminal to avoid hacking of card data, as well as having a secured communication of payment card data from a terminal machine to a payment server, are implemented through well-known computer technologies in the same or similar context, would be reasonable, according to one of ordinary skill in the art. Moreover, since the elements disclosed by Savolainen in view Wilson, would function in the same manner in combination as they do in their separate embodiments, it would be reasonable to conclude that their resulting combination would be predictable. Accordingly, the claimed subject matter is obvious over Savolainen/Wilson. With respect to claim 8, the combination of Savolainen in view of Wilson discloses all the subject matter on claims 7 above. Furthermore, Wilson discloses, and a remote server, wherein the remote server is configured to enroll the public key by storing the trusted data in a memory of the remote server {see at least Abstract “…A Public Key Certificate corresponding to the Private Key is also created and can be stored in an online repository for merchant access. The Public Key Certificate identifies a payment card of the user, and is signed by or on behalf of a financial institution issuing the payment card…”, and also col 25 lines 38-50}. Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, to modify Savolainen to include the elements of Wilson. One would have been motivated to do so, in order to have a secured communication of payment card data from a terminal machine to a payment server. Furthermore, Savolainen discloses having a secured payment card data communication with a POS terminal to avoid hacking of card data. Wilson is merely relied upon to illustrate the functionality of having a secured communication of payment card data from a terminal machine to a payment server, in the same or similar context. Because both having a secured payment card data communication with a POS terminal to avoid hacking of card data, as well as having a secured communication of payment card data from a terminal machine to a payment server, are implemented through well-known computer technologies in the same or similar context, would be reasonable, according to one of ordinary skill in the art. Moreover, since the elements disclosed by Savolainen in view Wilson, would function in the same manner in combination as they do in their separate embodiments, it would be reasonable to conclude that their resulting combination would be predictable. Accordingly, the claimed subject matter is obvious over Savolainen/Wilson. With respect to claims 10 and 15, the combination of Savolainen in view of Wilson discloses all the subject matter on claim 8 above. Furthermore, Wilson discloses wherein the system comprises a payment card configured to request the […] terminal to operate the payment transaction by performing both an on-line authorization and an off- line data authentication {see at least Abstract “…the Public Key Certificate identifies a payment card of the user, and is signed by or on behalf of a financial institution issuing the payment card. When initiating a payment card transaction with a merchant, a data item is signed using the Private Key. The signed data item and the Public Key Certificate are conveyed to the merchant, [e.g., on-line process], which enables the merchant to authenticate the transaction without needing to communicate with the user's financial institution [e.g., off-line process], and while avoiding the inconvenience and privacy issues associated with obtaining other card details and user details”, and also, page 10 lines 11-18, page 13 line 7-11}. Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, to modify Savolainen to include the elements of Wilson. One would have been motivated to do so, in order to have a secured communication of payment card data from a terminal machine to a payment server. Furthermore, Savolainen discloses having a secured payment card data communication with a POS terminal to avoid hacking of card data. Wilson is merely relied upon to illustrate the functionality of having a secured communication of payment card data from a terminal machine to a payment server, in the same or similar context. Because both having a secured payment card data communication with a POS terminal to avoid hacking of card data, as well as having a secured communication of payment card data from a terminal machine to a payment server, are implemented through well-known computer technologies in the same or similar context, would be reasonable, according to one of ordinary skill in the art. Moreover, since the elements disclosed by Savolainen in view Wilson, would function in the same manner in combination as they do in their separate embodiments, it would be reasonable to conclude that their resulting combination would be predictable. Accordingly, the claimed subject matter is obvious over Savolainen/Wilson. Claims 3 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Savolainen et al., (US 20140289129 A1) in view of Stephen Wilson (WO 2009126994 A1) and further in view of Kazuyoshi Tohma (US Pat. 8447655 B2). With respect to claims 3 and 9, the combination of Savolainen in view of Wilson discloses all the subject matter on claims 1 and 8 above, respectively, but does not explicitly, however, Tohma discloses wherein the POS terminal sends the trusted data to the remote server through an Electronic Cash Register {see at least claim 1 “An electronic cash register which transmits a data file to a server by using a file transfer protocol and receives a data file from the server by using the file transfer protocol…”}. Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, to modify Savolainen in view of Wilson to include the elements of Tohma. One would have been motivated to do so, in order to have an electronic cash register to facilitates secure electronic commerce transactions among multiple participants. Furthermore, Savolainen discloses having a secured payment card data communication with a POS terminal to avoid hacking of card data, and Wilson discloses having a secured communication of payment card data from a terminal machine to a payment server. Tohma is merely relied upon to illustrate the functionality of having an electronic cash register to facilitates secure electronic commerce transactions among multiple participants, in the same or similar context. Because both having a secured payment card data communication with a POS terminal to avoid hacking of card data, and having a secured communication of payment card data from a terminal machine to a payment server, as well as having an electronic cash register to facilitates secure electronic commerce transactions among multiple participants, are implemented through well-known computer technologies in the same or similar context, would be reasonable, according to one of ordinary skill in the art. Moreover, since the elements disclosed by Savolainen in view Wilson, and in view of Tohma, would function in the same manner in combination as they do in their separate embodiments, it would be reasonable to conclude that their resulting combination would be predictable. Accordingly, the claimed subject matter is obvious over Savolainen/Wilson/Tohma. Claims 4-5 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Savolainen et al., (US 20140289129 A1) in view of Stephen Wilson (WO 2009126994 A1) and further in view of Fox et al., (US Pat. 5790677 A). With respect to claims 4 and 11, the combination of Savolainen in view of Wilson discloses all the subject matter on claims 1 and 8 above, but does not explicitly, however, Fox discloses wherein the POS terminal receives an expiry date permanently allocated to the payment card and wherein the POS terminal sends the expiry date to the remote server along with said trusted data {see at least col 24 line 63-col 25 line 13 “…As noted above, the purchaser PC 312, merchant server 314, and acquirer server 316 all execute a credit card order and payment application, and a cryptography system, to meet the security, privacy, integrity, and authenticity needs of this particular commerce system… The purchaser 302 creates a commerce document in the form of a goods and services order (GSO) and a commerce instrument in the form of a purchase instruction (PI). The GSO and PI are configured in packets using the tag-length-value data structure described above with reference to FIG. 9. An example GSO contains a name of the payee (merchant), an authorized amount, a unique transaction ID, purchaser's name and address, an order expiration, and an order form. An example PI includes the payee’s name (merchant), the authorized amount, the unique transaction ID, a GSO message digest, a card expiration, and order expiration”}. Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, to modify Savolainen in view of Wilson to include the elements of Fox. One would have been motivated to do so, in order to have an expiry date on the payment card. Furthermore, Savolainen discloses having a secured payment card data communication with a POS terminal to avoid hacking of card data, and Wilson discloses having a secured communication of payment card data from a terminal machine to a payment server. Fox is merely relied upon to illustrate the functionality of having an expiry date on the payment card, in the same or similar context. Because both having a secured payment card data communication with a POS terminal to avoid hacking of card data, and having a secured communication of payment card data from a terminal machine to a payment server, as well as having an expiry date on the payment card, are implemented through well-known computer technologies in the same or similar context, would be reasonable, according to one of ordinary skill in the art. Moreover, since the elements disclosed by Savolainen in view Wilson, and in view of Fox, would function in the same manner in combination as they do in their separate embodiments, it would be reasonable to conclude that their resulting combination would be predictable. Accordingly, the claimed subject matter is obvious over Savolainen/Wilson/Fox. With respect to claim 5, the combination of Savolainen in view of Wilson discloses all the subject matter on claim 1 above. Furthermore, Fox discloses wherein the POS terminal sends a payment e-receipt to the remote server along with said trusted data {see at least col 26 lines 7-12 “…The merchant server 314 then generates a purchase receipt 342, digitally signs the receipt, and encrypts it using the purchaser's public key exchange key. The purchase receipt 342 is sent from the merchant server 314 over the communication network 334 to the purchaser's PC 312 which then decrypts and verifies the receipt”}. Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, to modify Savolainen in view of Wilson to include the elements of Fox. One would have been motivated to do so, in order to have a transaction receipt distributed. Furthermore, Savolainen discloses having a secured payment card data communication with a POS terminal to avoid hacking of card data, and Wilson discloses having a secured communication of payment card data from a terminal machine to a payment server. Fox is merely relied upon to illustrate the functionality of having a transaction receipt distributed, in the same or similar context. Because both having a secured payment card data communication with a POS terminal to avoid hacking of card data, and having a secured communication of payment card data from a terminal machine to a payment server, as well as having a transaction receipt distributed, are implemented through well-known computer technologies in the same or similar context, would be reasonable, according to one of ordinary skill in the art. Moreover, since the elements disclosed by Savolainen in view Wilson, and in view of Fox, would function in the same manner in combination as they do in their separate embodiments, it would be reasonable to conclude that their resulting combination would be predictable. Accordingly, the claimed subject matter is obvious over Savolainen/Wilson/Fox. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. The prior art made of record and not relied upon: 1) (US 20080283591 A1) – Oder II, Secure Payment Card Transactions - relates to payment systems. 2) (US 20160364723 A1) – Reese et al., Virtual POS Terminal Method and Apparatus – relates to the technical field of electronic transactions, and in particular, to apparatuses, methods and storage media for providing a virtual point of sale (POS) terminal. 3) (US 20150317626 A1) – Ran et al., Secure Proximity Exchange of Payment Information Between Mobile Wallet and Point-of-Sale - relates to a method for processing payment. The method includes obtaining, by a point-of-sale (POS) device from a certification authority, a certificate data item that identifies the POS device for completing a purchase by a consumer, generating, by the POS device comprising a computer processor, a payment request for the payment to complete the purchase, wherein the payment request comprises the certificate data item, broadcasting, by the POS device, the payment request via a wireless signal within a pre-determined range of the POS device. 4) (US 20110202463 A1) - Powell – Methods and Systems for Cardholder Initiated Transactions - relates generally to transactions associated with a financial transaction card account and, more particularly, to network-based methods and systems for financial transactions initiated by an account holder, remotely from a bankcard network. Any inquiry concerning this communication or earlier communications from the examiner should be directed to VINCENT IDIAKE whose telephone number is (571)272-1284. The examiner can normally be reached on Mon-Fri from 10:30AM to 7:30PM ET. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, PATRICK MCATEE, can be reached at telephone number 571-272-7575. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from Patent Center. Status information for published applications may be obtained from Patent Center. Status information for unpublished applications is available through Patent Center for authorized users only. Should you have questions about access to Patent Center, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated-interview-request-air-form /V.I./Examiner, Art Unit 3698 /PATRICK MCATEE/Supervisory Patent Examiner, Art Unit 3698