FIS’s online-payments processing unit has begun replacing terminals made by PAX Global Technology Ltd. due to concerns about their security, according to messages reviewed by Bloomberg News and people familiar with the matter.
The business, called Worldpay from FIS, told partner companies on Oct. 8 that it had decided to remove PAX devices in favor of point-of-sale equipment manufactured by two competitors, U.S.-based Verifone and France’s Ingenico, according to a message reviewed by Bloomberg News.
In a statement, the company confirmed that it no longer deploys PAX point-of-sale devices “because it did not receive satisfactory answers from PAX regarding its POS devices connecting to websites not listed in their supplied documentation,” according to a spokesperson. “While we have no evidence that data running through PAX POS devices has been compromised, we have been working directly with clients to replace those devices with other options at no cost to them and with as little disruption to their business as possible.”
The spokesperson said fewer than 5% of Worldpay clients currently use PAX point-of-sale devices. FIS’s shares were down 6.6% Wednesday afternoon in New York.
The decision came prior to news of a federal investigation of PAX Technology and a raid of its Florida locations that has prompted inquiries from customers about the security of devices that they have relied on for making and receiving payments.
PAX Global Technology provides payment terminals that are used to process millions of transactions in stores worldwide. According to the company, it has supplied 57 million terminals to more than 120 countries. Worldpay provides the infrastructure that consumers use to pay for services online or to pay for food in a grocery store. In 2019, it was acquired by
A PAX representative didn’t respond to a request for comment. PAX Global Technology’s corporate headquarters is in Hong Kong, and its operational headquarters is in Shenzhen, China, according to its website.
Verifone couldn’t immediately be reached for comment, nor could Ingenico, which was acquired last year by Worldline.
On Tuesday,
In a statement, the FBI said it executed the search warrant as part of an investigation with Homeland Security Investigations, Customs and Border Protection, Department of Commerce and Naval Criminal Investigative Services, and with the support of the Jacksonville Sheriff’s Office. “We are not aware of any physical threat to the surrounding community related to this search,” according to the statement. “The investigation remains active and ongoing and no additional information can be confirmed at this time.”
A spokesperson for the U.K.’s National Cyber Security Centre said, “We are aware of these reports and have been working closely with relevant partners in relation to them.”
Independent cybersecurity journalist Brian Krebs
Worldpay didn’t give a reason for the decision in the Oct. 8 note. But two people working for a U.S. payments processing firm that partners with Worldpay said they were informed by executives that the decision was made due to security concerns about PAX devices. The people spoke on condition of anonymity to discuss a confidential matter.
On Oct. 19, PAX Technology Inc. President and Chief Executive Officer Andy Chau fired back. In a message reviewed by Bloomberg News, he issued a response to Worldpay customers, condemning what he called “confusing and incorrect information regarding the reasons for the discontinuance.”
“PAX would like to assure all customers that we stand behind the security of our products and services,” said Chau. “Every PAX device goes through stringent internal and external testing and certifications to ensure payment data is protected in accordance with industry security standards. Our policies are designed to ensure that information sent through PAX devices is transmitted securely only to the intended recipients.”
A spokesperson for Global Payments Inc., a Pax Technology customer, said in a message: “We are aware of the reports and have initiated an investigation. This has no impact on our processing networks and our business is operating normally.”