Thursday, October 28, 2021
In a statement following the Oct. 26, 2021 raid, the FBI said the search of the Jacksonville, Fla., offices of PAX was “in furtherance of a federal investigation.” It also related that the Department of Homeland Security, the Customs and Border Protection Services, the Naval Criminal Investigative Services and the Jacksonville Sheriff’s Office also participated in the search of PAX offices. “The investigation remains active and ongoing and no additional information can be confirmed at this time,” the FBI stated.
PAX, in a statement provided The Green Sheet, said it “is not aware of any illegal conduct by it or its employees and is in the process of engaging counsel to assist in learning more about the events that led to the investigation.” PAX is headquartered in Shenzhen, China.
Independent cybersecurity journalist Brian Krebs reported on Oct. 26 that he had learned “from a trusted source” that an investigation of PAX was launched after a “major U.S. payment processor” raised the issue of unusual network packets originating from PAX terminals.
According to Krebs’ source, the processor suspected PAX terminals were being used both as a malware “dropper” (or repository for malicious files) and as “command-and-control” locations for staging attacks and collecting information.
The source added that the "packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software.”
According to Krebs, two major processors—one in the United States and one in the United Kingdom—had already begun pulling PAX terminals. He said that claim was verified by “two different sources.”
According to PAX, the company has supplied 57 million POS terminals to merchant in more than 120 countries. It is not known which or how many of those terminals are suspected of being compromised. The company’s product line includes about three dozen distinct POS devices, including traditional, “smart” and unattended terminals.
Meanwhile, Bloomberg News reported that Worldpay has begun replacing PAX terminals over security concerns. According to messages reviewed by Bloomberg, the decision to swap out PAX POS devices for Verifone and Ingenico terminals came before the FBI raid. That raid was first reported by local television stations in Jacksonville.
Worldpay didn’t provide a reason for the decision, Bloomberg stated. But it wrote that two individuals working for a payment processing firm that partners with Worldpay told the news outlet the decision was related to security concerns about PAX devices.
In its statement to The Green Sheet, PAX said it was “aware of media reports regarding the security of PAX Technology devices and services. PAX Technology takes security very seriously. As always, PAX Technology is actively monitoring its environment for possible threats. We remain committed to providing secure and quality software systems and solutions. We intend to keep our team and customers apprised of the situation.”
In commenting on the situation, Krebs said he didn’t expect a merchant rush to replace PAX terminals. “Even if it were publicly proven today that the company’s technology was in fact a security risk, my guess is few retailers would be quick to do much about it in the short run,” he wrote. “The investigation into PAX Technology comes at a dicey time for retailers, many of whom are gearing up for the busy holiday shopping season. What’s more, global computer chip shortages are causing lengthy delays in procuring new electronics.” 
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
