Why FBI probe of payment terminal maker PAX matters to banks

The future of the Chinese company PAX Technology is in doubt after the FBI raided its U.S. headquarters this week, observers say. The company, which has been expanding its presence here, is under investigation because its point-of-sale terminals were allegedly involved in global cyberattacks.

FIS’ Worldpay, also based in Jacksonville, has pulled all PAX terminals from its customers because of the security risk.

Banks, payments processors, software companies, other terminal vendors and standards organizations may feel ripple effects — perhaps stricter certification processes or guidelines for POS manufacturers, banks or processors to follow or enforce.

Global Payments, a Pax Technology customer, informed its customers there has been no impact on its processing networks and that business is operating as normal. Simpay, a software provider in Trevose, Pennsylvania, has alerted its U.S. customers that it is working on contingency plans if there is a need to replace any PAX terminals in the coming days.

The FBI investigation was reported by a Jacksonville news station, which showed video footage of the FBI’s raid on a local PAX warehouse. The same day, security journalist Brian Krebs covered the case in his Krebs on Security blog. Krebs wrote that the FBI began investigating PAX weeks ago after a major U.S. payment processor started asking questions about unusual network activity originating from the company’s payment terminals.

There is no indication as to where any terminals allegedly involved in cyberattack schemes were located, though Krebs said a “financial provider” in the U.K was also disabling PAX terminals.

PAX did not respond to an American Banker inquiry by deadline. In a message to Worldpay customers that Bloomberg News reported, PAX CEO Andy Chau adamantly denied any wrongdoing on the part of his company, citing its stringent security testing and monitoring.

The Worldpay move is highly unusual because it has taken place during the payments industry’s customary “peak-season freeze,” a period from October to mid-January characterized by heavy volume tied to holiday shopping. Normally merchants, issuers and processors do not make any production changes to their systems to avoid introducing any transaction glitches at such a busy time.

“Having spent 16 years in the payment processing business … I have never seen anything like this,” said David Mattei, senior analyst and strategic advisor at Aite-Novarica Group. “This is truly astounding for Worldpay to decide to replace these terminals during the IT peak-season freeze, and it speaks volumes as to the seriousness of this situation. For Worldpay to decide to make the change now and not wait until January says it all.”

The POS terminal has long been a target for hackers using malicious malware to access consumer payment credentials, but hackers could exploit them in other kinds of cyber schemes.

“In today’s day and age, could every [point-of-sale terminal] be used to initiate an attack? Sure, but it is not likely,” Mattei said. “I would assume Worldpay examined network traffic across all of the POS terminals it has deployed to see if there were anomalies with other terminal manufacturers. In the days and weeks ahead, I’m sure we will see statements from Ingenico and Verifone.”

FIS’ Worldpay did not respond to an American Banker inquiry by deadline.

How it may affect standards

Banks engaged with manufacturers to provide terminals to merchant customers know that POS terminals go through extensive testing prior to a processor certifying them and deploying them, Mattei said. “The testing process is well documented with hundreds, maybe more, of test scripts that are executed as part of the certification process.”

It’s likely those test scripts will be augmented in the future, similar to how the Payment Card Industry Data Security Standard “became part of merchant and processor lives with the number and scale of data breaches,” he said. “As such, the industry can expect new testing and certification processes to be defined and part of the payment ecosystem in the near future.”

Much of what PCI develops on payment standards is designed to spur merchant security compliance for accepting payment cards, while establishing ongoing monitoring and layers of defense for network hardware and software connections, integrated applications and third-party partner involvement.

A jolting experience like an FBI raid on a manufacturer of POS devices will have a definite impact on PCI compliance and could “further erode confidence in the [PCI Security Standards Council’s] efforts to prevent cyber breaches of cardholder data,” said Aite-Novarica analyst Joseph Krull, an expert on PCI compliance.

PAX terminals have been through the PCI assessment process as PIN Transaction Security Devices and those approvals are valid until April 2023.

“This should have included a complete code review and functionality test by one of the approved PCI labs,” Krull said. “While it could be possible that malicious code was inserted into the devices after those tests, periodic version approval should have caught that.”

If it is ultimately proven that PAX terminals were compromised and used as part of a cyber scheme, investigators are going to want to know how the terminals are monitored for security.

“Either the test lab did not do a thorough process defined by the standard, or PAX may have used Beijing Unionpay Card Technology Co., the bank card test center, to do their approval testing,” Krull said.

The latter scenario would cause investigators to probe potential collusion with the Chinese government. Observers recall the situation two years ago in which U.S. officials addressed alleged intellectual property theft involving Huawei, a Chinese telecommunications equipment company.

“If it is found that these terminals contain code to perform a function other than to capture and send payment data to the merchant or its processor, PAX’s Chinese origins will be brought into question,” Aite’s Mattei said.

A PCI Security Standards Council spokesperson said the council is aware of the unfolding situation with PAX Technology, but did not have any information to share at this time.

PAX had built a following

PAX Technology, which has been in business for the past 20 years, is based in Shenzhen, China. It manufactures mostly Android-based countertop or hand-held mobile POS terminals. It has worked with fintechs and software providers to integrate application programming interfaces for other multichannel and real-time payments features.

No direct references to any relationships PAX had with banks, partners or card networks have been noted as part of the FBI action. PAX did complete what it described as a major deal with one of largest merchant acquirers in the world, China UnionPay Merchant Services, in 2016. With that deal, the PAX terminal portfolio became available to more than 6 million merchants during 2017.

In its marketing materials, PAX has said it has shipped more than 57 million terminals to 120 countries since its founding. The company did not report the number of terminals it has sold in the U.S., but its 2021 six-month earnings report cited North America revenue growth at 71% over the previous year’s first six months. It represented the largest market increase across the globe for PAX.

Most Related Links :
Business News Governmental News Finance News

Need Your Help Today. Your $1 can change life.

[charitable_donation_form campaign_id=57167]

Source link

Back to top button