While attending Money 20/20 last week I received a text from a colleague asking if I’d heard rumors about PAX terminals being pulled by a payment processor. At first I thought it might have been a typo, but soon enough I began hearing corroboration in the conference hallways. But the story got even juicier- the FBI had raided PAX’s Jacksonville warehouse.
PAX Global Technology is hardly a household name- it ranks a distant third to Ingenico and Verifone in the point-of-sale (POS) card terminal market, with its greatest presence by far in Latin America. Nonetheless, it generated over $65 million in US market revenue in 2020, focusing primarily on serving smaller merchants seeking low-cost hardware alternatives.
POS terminals are a longstanding security target. Arguably the two highest-profile data breaches in memory, Target’s and Heartland’s, were perpetrated by infiltrating these simple machines stationed alongside every checkout register. By definition, they require an open connection to the outside world.
According to Krebs on Security, payment processors grew concerned when they noticed the data packets being transmitted from PAX terminals were significantly larger than that required for card transactions, and were also connecting to websites not listed in PAX’s documentation. This is a warning flag that the transmission may be implanting malware and/or extracting impermissible data.
Here’s where the plot thickens. PAX is a Chinese company, publicly traded on the Hong Kong Stock Exchange. Its management has already insinuated that recent actions against it are politically and racially motivated. However, multiple partners report that PAX has yet to offer sound explanations for the transmission discrepancies.
FIS Worldpay has confirmed it is in the process of replacing all PAX terminals deployed at a small minority of its clients. According to Krebs, at least one UK-based processor is doing the same.
But here’s the kicker- Krebs further speculates that absent prodding and hand-holding from their processors, most small merchants are unlikely to take proactive steps to address this vulnerability in the short term. For one thing, they’ll be reluctant to risk disruption during the busy holiday season. Further, given the global chip shortage replacement terminals could prove hard to come by- particularly for mom and pop merchants lacking clout.
It’s no wonder POS terminals are seen as a soft underbelly for bad actors. It’s not yet known how (or if) this apparent breach will impact the front line, but as usual any issues will likely be felt in card issuers’ contact centers and fraud departments. This is probably a good time to turn the threat monitor up another notch.
We’ll be discussing this evolving story in greater detail at our weekly CU Digital Town Hall on Wednesday afternoon, November 3. Visit https://www.cutownhall.com/ to request an invitation to join us (if you’re reading this after November 3, a replay link should be posted to the site).