DCT
7:23-cv-01773
Ov Loop Inc v. MasterCard Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: OV Loop, Inc. (Delaware)
- Defendant: Mastercard Incorporated, and Mastercard International Incorporated (Delaware)
- Plaintiff’s Counsel: Hosie Rice LLP
- Case Identification: 7:23-cv-01773, S.D.N.Y., 03/01/2023
- Venue Allegations: Venue is alleged to be proper in the Southern District of New York because Defendants have an established and principal place of business in the District, including their Global and North American headquarters, and have committed alleged acts of patent infringement there.
- Core Dispute: Plaintiff alleges that Defendant’s cloud-based mobile payment systems, which enable secure transactions without a physical hardware security element on the mobile device, infringe a patent related to Host Card Emulation (HCE) technology.
- Technical Context: The lawsuit concerns Host Card Emulation (HCE), a software-based approach that allows mobile devices to emulate a physical payment card for contactless transactions, a technology critical to the expansion of mobile payments beyond devices with dedicated security chips.
- Key Procedural History: The complaint alleges that Plaintiff OV Loop engaged in extensive pre-suit communications with Mastercard from 2018 to 2022 regarding certification for its own digital wallet. During these communications, Plaintiff claims it specifically notified Mastercard that its HCE systems infringed the patent-in-suit. Plaintiff also alleges that Mastercard announced its HCE specifications in 2014, after the patent's earliest priority date but before its issuance date.
Case Timeline
| Date | Event |
|---|---|
| 2011-08-30 | '171 Patent - Earliest Priority Date |
| 2012-08-30 | '171 Patent - Application Filing Date |
| 2014-02-01 | Mastercard announces plan to publish HCE specification (approx. date) |
| 2014-06-01 | Mastercard HCE standards implemented (approx. date) |
| 2018-06-01 | OV Loop acquires SimplyTapp, original assignee of '171 Patent (approx. date) |
| 2018-07-24 | '171 Patent - Issue Date |
| 2018-08-03 | OV Loop begins communications with Mastercard regarding certification |
| 2023-03-01 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 10,032,171 - "Systems and Methods for Secure Application-Based Participation in an Interrogation by Mobile Device"
- Patent Identification: U.S. Patent No. 10,032,171, issued July 24, 2018.
The Invention Explained
- Problem Addressed: The patent addresses the limitations of traditional mobile payment systems that require a physical "Secure Element" (SE)—a dedicated microchip—to store cryptographic keys and secure transactions. This hardware requirement restricts the availability of mobile payments to specific devices and creates inflexibility (Compl. ¶31-32; ’171 Patent, col. 2:32-49).
- The Patented Solution: The invention describes a system for what is now known as Host Card Emulation (HCE), where a mobile device application can participate in a secure transaction without having a permanent, locally stored cryptographic key. Instead, the application requests a "non-permanent cryptographic key" from a remote computer system over a wireless network. During a transaction at a point-of-sale (POS) terminal, the mobile app uses this temporary key to generate a one-time cryptogram to authorize the payment, a process that is then verified by the remote system (Compl. ¶54; ’171 Patent, Abstract, col. 2:5-23).
- Technical Importance: This software-centric approach decouples payment security from specific hardware, enabling a broader range of devices, particularly Android smartphones, to function as secure mobile wallets (Compl. ¶33-35).
Key Claims at a Glance
- The complaint asserts infringement of claims of the ’171 Patent, with a focus on independent method Claim 1, independent system Claim 17, and dependent system Claim 25 (Compl. ¶55-57, ¶76-78).
- Independent Claim 1 (Method):
- Executing an application on a mobile device that is interrogable by an electronic reader.
- The application does not access a permanent cryptographic key.
- Requesting and receiving from a remote computer system a "first non-permanent cryptographic key."
- Locally storing this key at the mobile device.
- Participating in an interrogation with a POS terminal, which includes receiving a cryptogram request.
- Generating a response cryptogram using the local, non-permanent key.
- Subsequent to the interrogation, requesting and receiving a "second non-permanent cryptographic key" to replace the first one.
- Independent Claim 17 (System):
- A mobile device with a controller, wireless interface, processor, and storage medium.
- An application on the storage medium that, when executed, is interrogable for transactions and does not have access to a permanent cryptographic key.
- The application is executable to request and receive a "first non-permanent cryptographic key" from a remote computer system and store it locally.
- During an interrogation, the application receives a cryptogram request from a POS terminal, accesses the local key, and generates a response cryptogram.
- Subsequent to the interrogation, the application requests and receives a "second non-permanent cryptographic key" to change the local key.
- The complaint generally alleges infringement of the patent, reserving the right to assert additional claims (Compl. ¶76-77).
III. The Accused Instrumentality
Product Identification
- The accused instrumentalities are Mastercard’s “Mastercard Cloud-Based Payments” (MCBP) specifications and the associated “Mastercard Digital Enablement Service” (MDES) system (Compl. ¶61, ¶63, ¶77). The complaint also identifies third-party mobile wallets that comply with these standards, such as Garmin Pay, as part of the infringing system (Compl. ¶79).
Functionality and Market Context
- The complaint alleges that MCBP is Mastercard's required standard for HCE-based payments, and MDES is the cloud-based service that implements it (Compl. ¶61, ¶63). MDES is described as a system that provides tokenized account numbers and "single/limited use keys and cloud cryptograms" to mobile wallet applications (Compl. ¶60, ¶63). A flowchart on page 24 illustrates the alleged Mastercard HCE ecosystem, showing data flow between a 'Mobile Device with Mobile Wallet Application,' the 'Mastercard Digital Enablement Service,' and a 'Point-of-Sale Terminal' (Compl. p. 24).
- The complaint asserts that any entity wishing to support Mastercard cards in a digital wallet must comply with MCBP standards and use the MDES system, positioning Mastercard as a "gatekeeper" for HCE technology in its network (Compl. ¶62).
IV. Analysis of Infringement Allegations
'171 Patent Infringement Allegations
| Claim Element (from Independent Claim 17) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a mobile device comprising: a controller... a wireless interface... a processor; a computer readable storage medium... | A third-party mobile device, such as a Garmin smartwatch, that contains the necessary hardware components and runs a mobile wallet application like Garmin Pay. | ¶79, ¶81 | col. 18:18-28 |
| ...storing an application... wherein the application does not have access to a permanent cryptographic key... | The Garmin Pay application, which is alleged to operate using the HCE method without a permanent key, in compliance with Mastercard's MCBP standard. | ¶80-81 | col. 18:29-41 |
| ...[application is] executable to: request from the remote computer system... a first set of data associated with the account; | The mobile wallet application requests credential data, including cryptographic keys, from Mastercard's MDES platform to enable payments. | ¶63, ¶80 | col. 18:42-45 |
| receive by the application, from the remote computer system... the first set of data... comprising a first non-permanent cryptographic key... | The mobile wallet receives "single/limited use keys" (SUKs) from the MDES system, which are alleged to be the claimed "non-permanent cryptographic key." | ¶60, ¶66, ¶80 | col. 18:46-53 |
| store the first non-permanent cryptographic key at the mobile device as a local cryptographic key... | The mobile wallet application stores the received SUKs from MDES on the device for use in generating cryptograms. | ¶66 | col. 18:54-57 |
| during an interrogation: receive at least one point-of-sale (POS) command communication... including a cryptogram request; | The mobile wallet application communicates via NFC with a POS terminal and receives a command to generate a cryptogram to authorize a transaction. | ¶61, ¶65 | col. 19:1-6 |
| generate a response cryptogram based on a set of inputs and the local cryptographic key... | The mobile wallet application uses the locally stored SUK to generate a cryptogram for the transaction, as mandated by MCBP specifications. | ¶60, ¶66 | col. 19:9-16 |
| subsequent to the interrogation, request from the remote computer system... a second set of data... | The complaint alleges that as SUKs are used, "additional SUKs are loaded from the cloud card management vendor to the device," meeting the requirement to refresh keys. | ¶66 | col. 19:22-25 |
Identified Points of Contention
- Scope Questions: The complaint alleges that Mastercard "makes" an infringing system under Claim 17 by combining its MDES service with third-party mobile wallets (Compl. ¶81). This raises a question of divided infringement: does Mastercard's role in providing the "remote computer system" and setting mandatory standards for the mobile application mean it "makes" or "uses" the entire claimed system, or are the actions impermissibly divided between Mastercard, device makers, and end-users?
- Technical Questions: A key technical question is whether the "single use keys (SUKs)" that are loaded from MDES, potentially in batches, meet the claim limitation of a "non-permanent cryptographic key" that is requested and replaced "subsequent to the interrogation" (Compl. ¶66). The analysis may turn on the specific timing and mechanism of how these keys are provisioned and refreshed.
V. Key Claim Terms for Construction
The Term: "non-permanent cryptographic key"
- Context and Importance: This term is the technological core of the patent, distinguishing HCE from hardware-based SE systems. Whether Mastercard's "single use keys" (SUKs) fall within this definition will be a dispositive issue for infringement (Compl. ¶60, ¶66).
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification uses the term "temporary cryptographic key" interchangeably ('171 Patent, col. 29:8-12), suggesting any key not intended to persist for the life of the digital credential could be considered "non-permanent." The claims require changing the key "between at least two interrogations," which does not strictly require a one-key-per-transaction lifecycle ('171 Patent, col. 18:1-2).
- Evidence for a Narrower Interpretation: The structure of the independent claims, which recite requesting a "first" key, using it, and "subsequent to the interrogation" requesting a "second" key, could be argued to teach a sequential, one-at-a-time key replacement model. A defendant may argue that storing a batch of multiple "single use keys" on the device at once (Compl. ¶66) does not meet this limitation.
The Term: "remote computer system"
- Context and Importance: Plaintiff's infringement theory identifies Mastercard's MDES platform as this system element. The construction of this term will determine whether a distributed, cloud-based service architecture falls within the claim scope.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification describes the system as potentially comprising an "array of secure element representations" that can be virtual or database-driven, accessed over a network, which aligns with a cloud-based service model ('171 Patent, col. 10:41-64).
- Evidence for a Narrower Interpretation: Figures in the patent depict more monolithic server architectures (e.g., ’171 Patent, Fig. 19, Network Server 153), which a defendant could use to argue that the claims do not cover the specific distributed architecture of a modern cloud service like MDES.
VI. Other Allegations
Indirect Infringement
- The complaint alleges active inducement, asserting that Mastercard intentionally causes third-party wallet providers (like Garmin) and end-users to infringe. The alleged acts of inducement include providing the mandatory MCBP specifications and the MDES system, offering a software development kit (SDK), and requiring certification for any wallet to use Mastercard cards (Compl. ¶83, ¶86).
Willful Infringement
- Willfulness is alleged based on pre-suit notice. The complaint claims that OV Loop, in "conversations and in writing," specifically identified the ’171 Patent to Mastercard and explained how the MDES system infringed (Compl. ¶74, ¶86). The complaint includes a multi-year chronology of communications between the parties to support this allegation (Compl. ¶70).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of claim construction: can the term "non-permanent cryptographic key," which the patent describes as being requested and replaced subsequent to an interrogation, be construed to cover Mastercard's system of providing what are alleged to be pre-loaded batches of "single use keys"?
- A key legal question will be one of divided infringement: can Mastercard be found to directly infringe the patent's system claims when it provides the "remote computer system" (MDES) and sets mandatory technical standards, but does not itself make, sell, or operate the "mobile device" element of the claimed system?
- A central factual question for damages and willfulness will be the content of pre-suit communications: what specific infringement theories and evidence did OV Loop provide to Mastercard during the extensive meetings alleged in the complaint, and how did Mastercard respond to those allegations?