DCT
3:24-cv-00076
Autoscribe Corp v. Tsevo LLC Case transferred To SDTX Houston Division
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Autoscribe Corporation (Maryland)
- Defendant: Tsevo, LLC (Texas) and GambleID, LLC (Nevada)
- Plaintiff’s Counsel: Ahmad, Zavitsanos & Mensing, PLLC
- Case Identification: 3:24-cv-00076, S.D. Tex., 03/18/2024
- Venue Allegations: Venue is alleged to be proper because both Defendants reside in the district, share a principal place of business in the district, and have committed alleged acts of infringement in the district.
- Core Dispute: Plaintiff alleges that Defendants’ payment processing products, which use tokenization to handle sensitive financial data, infringe a patent related to securely processing payments by separating a merchant server from a secure server.
- Technical Context: The technology concerns secure online payment processing, a field where reducing a merchant's exposure to sensitive data (like credit card numbers) is critical for minimizing security risks and the scope of PCI-DSS compliance.
- Key Procedural History: The complaint does not mention any prior litigation, IPR proceedings, or licensing history related to the asserted patent.
Case Timeline
| Date | Event |
|---|---|
| 2012-06-05 | U.S. Patent No. 11,620,621 - Earliest Priority Date |
| 2023-04-04 | U.S. Patent No. 11,620,621 Issued |
| 2024-03-18 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 11,620,621 - “Enrolling a payer by a merchant server operated by or for the benefit of a payee and processing a payment from the payer by a secure server,” Issued April 4, 2023
The Invention Explained
- Problem Addressed: The patent addresses the significant costs, complexity, and security risks for merchants who handle sensitive customer financial data, such as credit card numbers, which subjects them to stringent PCI-DSS (Payment Card Industry Data Security Standard) compliance requirements (’621 Patent, col. 1:21-50).
- The Patented Solution: The invention proposes a system architecture that separates the merchant's primary server from a "secure server" that handles all sensitive financial account information. The merchant's server initiates a payment process but, instead of receiving the customer's credit card data, it receives a non-sensitive "token" from the secure server. This token acts as a reference to the securely stored financial data, allowing the merchant to process payments without ever possessing or storing the underlying sensitive information, thereby reducing their security liability and compliance burden (’621 Patent, col. 2:51-65; col. 3:4-15). The secure server can interact with the payer through a frame or window embedded within the merchant's webpage to collect the financial data directly (’621 Patent, col. 6:63-col. 7:2).
- Technical Importance: This architectural separation of functions, using tokenization and an embedded interface, allows merchants to offer a seamless checkout experience while outsourcing the most sensitive data-handling operations to a specialized, secure system.
Key Claims at a Glance
- The complaint asserts infringement of at least Claim 1 (Compl. ¶25).
- Independent Claim 1 is a method claim comprising the essential elements of:
- A secure server providing an API to a merchant server for financial account registration and token retrieval.
- The secure server receiving payer data and a payment amount from the merchant server via the API.
- Authenticating the payee (merchant).
- Executing a financial account registration function by generating a URL to establish a secure connection (e.g., SSL) with the payer's computer.
- Establishing this connection within a window or frame on the merchant's webpage.
- Using the connection to render a form for the payer to enter sensitive financial information.
- Receiving and storing the sensitive information on the secure server.
- Executing a token retrieval function by providing a non-sensitive token to the merchant server (without providing the sensitive data to the merchant or the token to the payer).
- Processing the payment using the stored sensitive information.
- The complaint does not explicitly reserve the right to assert dependent claims, but the prayer for relief requests a declaration of infringement of "one or more claims" (Compl. p. 22).
III. The Accused Instrumentality
Product Identification
- The accused instrumentalities are Defendants' "Smart Cashier" and "Token Vault" products and services, collectively referred to as the "Infringing Methods" (Compl. ¶26).
Functionality and Market Context
- The complaint alleges that "Smart Cashier" is a "payment management gateway" that provides merchants with a flexible API to implement PCI-DSS compliant payments (Compl. ¶28-29). One of its advertised features is a "WebSession service" that facilitates this (Compl. ¶29, p. 9). A screenshot from Defendants' marketing materials describes the "Smart Cashier" as offering an "integrated gateway checkout" with a "customizable managed payment flow" (Compl. p. 8).
- The "Token Vault" product is described as a service that "encrypts and replaces sensitive payment data with a unique identifier (token)" and securely stores the actual payment data (Compl. ¶36, p. 19). The complaint alleges these products are used in industries such as gaming, energy, and retail, and that Defendants compete directly with Autoscribe (Compl. ¶17, ¶20).
IV. Analysis of Infringement Allegations
11,620,621 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| providing, by the one or more secure servers to a merchant server... an application programming interface (API) that: provides financial account registration and token retrieval functions | Defendants' "Smart Cashier" provides a "flexible API" with a "WebSession service" and "Token Vault" service for PCI compliant registration and tokenization. | ¶29-30 | col. 6:55-63 |
| provides access to the financial account registration and token retrieval functions to the merchant server | The GIDX Platform API documentation describes how merchants can access the platform using security credentials. | ¶31 | col. 6:60-63 |
| receives, from the merchant server via the API, at least one data element associated with the payer and a payment amount | The "CreateSession" method of the API allegedly receives parameters such as "MerchantCustomerID" and "CashierPaymentAmount". | ¶32 | col. 8:50-55 |
| authenticates the payee | The API allegedly authenticates the merchant (payee) using "ApiKey" and "MerchantID" parameters provided by the merchant. | ¶33 | col. 17:1-2 |
| executes the financial account registration function... by: generating a uniform resource locator (URL)... a dynamic URL generated by the secure server | The "CreateSession" method allegedly returns a "SessionURL," described as an "encrypted, one time use, script-tag," which is alleged to be a dynamic URL. | ¶34(a) | col. 17:4-13 |
| establishing the secure socket layer connection... between the secure server and the payer computing system within a window or frame that is displayed within the webpage provided by the merchant server | The "SessionURL" script-tag allegedly connects the customer's device directly to the GIDX Service, and the resulting interface is "rendered and embedded... into the merchants page". | ¶34(b) | col. 17:14-22 |
| outputting instructions to the payer computing system... to render a financial account registration request form | The GIDX Service allegedly renders an "HTML interface" on the customer's device to collect payment information. | ¶34(c) | col. 17:23-30 |
| receiving the sensitive financial account information provided by the payer via the secure socket layer connection | An "Example Response" from the API documentation for a "Save PaymentMethod" call shows the system receiving fields like "CardNumber" and "ExpirationDate". | ¶35, p. 18 | col. 17:37-39 |
| storing the sensitive financial account information in a secure storage location | The "Token Vault" marketing materials state that "actual payment data is securely stored within the Token Vault solution". | ¶36 | col. 17:40-44 |
| executing a token retrieval function... by: providing a non-sensitive electronic data token representing the sensitive financial account information to the merchant server | The "Token Vault" service is alleged to replace sensitive data with a "unique identifier (token)". An example API response shows a "Token" field. | ¶37 | col. 17:45-52 |
Identified Points of Contention
- Scope Questions: A central question may be the interpretation of "within a window or frame that is displayed within the webpage provided by the merchant server". The analysis will depend on the specific technical implementation of the accused "WebSession" service (e.g., iframe, dynamic DOM manipulation) versus a full-page redirect, and whether the former is required by the claim. The complaint alleges an embedded process, citing documentation that the merchant embeds the "SessionURL" into their HTML webpage (Compl. ¶34(b), p. 14-15).
- Technical Questions: The complaint alleges that the "SessionURL" is a "dynamic URL" as required by one option in the claim. The defense may challenge whether the "one time use, script-tag" functions as a "dynamic URL" in the manner contemplated by the patent. The provided visual, describing the "SessionURL" as an "encrypted, one time use, script-tag," may support the plaintiff's characterization (Compl. p. 14).
V. Key Claim Terms for Construction
The Term: "secure server"
- Context and Importance: This term is foundational to the patent's core concept of separating functions. The dispute will likely center on the required degree of separation (logical, physical, operational) between the "merchant server" and the "secure server." Defendants may argue their system is a single, integrated platform, while Plaintiff will likely argue that the functions are performed by distinct systems from the perspective of the merchant, consistent with the patent's teachings.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent states that the merchant's server and secure server "may operate in the same location or may be the same hardware using a separated volume or partition, or memory section" (’621 Patent, col. 2:47-50), which could support a construction that does not require physical separation.
- Evidence for a Narrower Interpretation: The patent repeatedly contrasts the "merchant's regular server" with the "secure server" (’621 Patent, col. 2:35-44) and emphasizes that advantages are realized through "logical and/or physical separation" (’621 Patent, col. 2:50-51), suggesting the two are architecturally and functionally distinct entities.
The Term: "non-sensitive electronic data token"
- Context and Importance: The nature of the "token" is critical, as its "non-sensitive" character is what enables the merchant to avoid PCI compliance burdens. Practitioners may focus on this term because the entire security model of the patent hinges on it. The question will be what technical characteristics render a token "non-sensitive."
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent provides a functional definition, stating it is "a value that is not considered sensitive outside the environment where it is stored and used" and a "symbolic representation of a financial instrument" (’621 Patent, col. 2:51-56). This could be read broadly to include any identifier that does not, on its face, reveal financial account data.
- Evidence for a Narrower Interpretation: The patent specifies that the token is an "index to the stored financial account information" (’621 Patent, col. 2:65-66) and that knowledge of the token is "required for an authorized user to use the financial instrument" (’621 Patent, col. 10:48-50). This may suggest that the token, while not revealing the account number directly, must still possess specific properties linking it to a single, authorized transaction or user, potentially narrowing its scope from a generic identifier.
VI. Other Allegations
- Indirect Infringement: The complaint alleges induced infringement, stating that Defendants provide documentation, APIs, and technical assistance that instruct and encourage their customers (e.g., Genscape, Waterborne Energy) to implement the infringing methods (Compl. ¶40, ¶42-43). The complaint specifically cites API documentation as an "integration guide" for customers (Compl. ¶43). It also alleges contributory infringement based on providing the APIs and code as a material component of the invention that is not a staple article of commerce (Compl. ¶45-47).
- Willful Infringement: The willfulness allegation is based on Defendants having knowledge of the patent "no later than the date of this Complaint" (Compl. ¶38). The allegation appears to be based on post-suit conduct, as no pre-suit notice is mentioned.
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of architectural mapping: Does the Defendants' GIDX platform, with its "Smart Cashier" and "Token Vault" components, operate as a "secure server" that is functionally and architecturally distinct from its customers' "merchant servers" in the manner required by the patent's claims?
- A key evidentiary question will be one of technical implementation: Can Plaintiff demonstrate that the accused "WebSession service" establishes a connection "within a window or frame" on the merchant's webpage, as opposed to a simple redirect, and does the "one time use, script-tag" function as the "dynamic URL" described in Claim 1?
- A central question of claim scope will be the definition of a "non-sensitive electronic data token". The outcome may depend on whether the token generated by the accused system is merely an arbitrary identifier or if it possesses the specific properties of an "index" that is "only meaningful to participants in the processing cycle," as described in the patent.