PaymentsJournal
No Result
View All Result
SIGN UP
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
PaymentsJournal
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
No Result
View All Result
PaymentsJournal
No Result
View All Result

FBI Raids Leading Payment Terminal Provider PAX Technology

By Don Apgar
October 27, 2021
in Analysts Coverage, Merchant, Point-of-sale
0
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
FBI Raids Leading Payment Terminal Provider PAX Technology

FBI Raids Leading Payment Terminal Provider PAX Technology

Cyber security expert Brian Krebs reported in his blog Krebs on Security that the US warehouse of leading Chinese payment terminal manufacturer PAX Technology was raided today by the FBI. Headquartered in Shenzen, China, the Jacksonville, FL, facility is the US headquarters for PAX, who has over 60 million point-of-sale payment terminals deployed in 120 countries, including a large installed footprint in the US.

Krebs reports that he has obtained information from a trusted source that the FBI began investigating PAX after a major US payments processor identified unusual network packets originating from the company’s payment terminals. The payment processor reportedly found that the PAX terminals were being used both as a repository for malicious files, or a malware “dropper,” and as “command-and-control” locations for staging attacks and collecting information. 

According to Krebs’ source, “FBI and MI5 are conducting an intensive investigation into PAX. A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”   

In an official statement issued by the FBI, investigators said that only that they were executing a court-authorized search warrant in conjunction with the Dept. of Customs and Border Protection (CBP), and the Naval Criminal Investigative Service (NCIS).

According to Krebs, “My sources say that there is tech proof of the way that the terminals were used in attack ops; the packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software. PAX is now claiming that the investigation is racially and politically motivated.”

What is interesting to note here is that following a rash of attacks and subsequent breaches of the point-of-sale (POS) systems of large retailers like Home Depot, Target, and others, POS software providers pivoted to remove payment data from their systems. The broad functionality of POS systems needed to run a retailer’s business requires many integrations to other retailer systems like finance, inventory, etc., and many points of access, creating vulnerabilities even where systems are fully PCI compliant. 

Most POS software providers now operate payments in what is known as a “semi-integrated” environment, where the POS system only “wakes up” the payment terminal to accept the customer payment credentials, which the payment terminal then sends directly to the processor, only returning a token and approval code to the POS system. This architecture keeps sensitive customer payment information only within the payment terminal, a purpose-built device that is security-certified to very high standards, and considered to be much more secure.

Despite the ongoing attacks to retailer and processor systems, including the 2008 breach of Heartland Payments Systems that exposed 100 million customer payment credentials, this is the first known infiltration of a payment terminal itself operating in a stand-alone or semi-integrated environment.

PAX is a leading provider of terminals that POS software companies operate in a semi-integrated environment, as well as to banks and processors that deploy them as stand-alone payment terminals. The Android OS and robust SDK make them a favorite in many diverse card acceptance environments, and consumers like the simple keyboard layout and clear prompts. 

Bloomberg reported that leading global payment processor WorldPay from FIS has begun to replace Pax devices with payment terminals manufactured by French company Ingenico and US-based Verifone. 

WorldPay issued a statement stating that it no longer deploys PAX point-of-sale devices “because it did not receive satisfactory answers from PAX regarding its POS devices connecting to websites not listed in their supplied documentation,” according to a spokesperson. “While we have no evidence that data running through PAX POS devices has been compromised, we have been working directly with clients to replace those devices with other options at no cost to them and with as little disruption to their business as possible.”

PAX CEO Andy Chau issued a rebuttal saying that, “PAX would like to assure all customers that we stand behind the security of our products and services. Every PAX device goes through stringent internal and external testing and certifications to ensure payment data is protected in accordance with industry security standards. Our policies are designed to ensure that information sent through PAX devices is transmitted securely only to the intended recipients.”

Overview by Don Apgar, Director, Merchant Services Advisory Practice at Mercator Advisory Group

0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Tags: FBIMalwarePayment ProcessorPayment TerminalPCI CompliancePoint of SalePOS

    Get the Latest News and Insights Delivered Daily

    Subscribe to the PaymentsJournal Newsletter for exclusive insight and data from Javelin Strategy & Research analysts and industry professionals.

    Must Reads

    Banking-as-a-service BaaS

    Remodeling Main Street: How Community Banks Can Leverage the Banking-as-a-Service Paradigm

    June 12, 2025
    How Employee Performance Enhances the Customer Experience

    Three Strategies to Maximize Loyalty in the AI-Driven World 

    June 11, 2025
    PFM tools

    How FIs Are Cutting Through Subscription Clutter with PFM Tools

    June 10, 2025
    child identity theft

    Stranger Danger: Protecting Your Children from Identity Theft

    June 9, 2025
    agentic commerce

    The Agentic Advent: How the Next Iteration of AI is Shaping Commerce

    June 6, 2025
    payments hub, digital banking

    All in One: How a Payments Hub Eliminates the Pain Points

    June 5, 2025
    Vertical SaaS

    From Underdogs to Industry Leaders: How Vertical SaaS Powers Mid-Sized Firms

    June 4, 2025
    credit card surcharging

    A Perfectly Understandable Bad Idea: Why Merchants Should Reconsider Surcharging

    June 3, 2025

    Linkedin-in X-twitter
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter

    ©2024 PaymentsJournal.com |  Terms of Use | Privacy Policy

    • Commercial Payments
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    No Result
    View All Result