FIS’s Worldpay replaces PAX terminals over security concerns

FIS’s online-payments processing unit has begun replacing terminals made by PAX Global Technology Ltd. due to concerns about their security, according to messages reviewed by Bloomberg News and people familiar with the matter.

The business, called Worldpay from FIS, told partner companies on Oct. 8 that it had decided to remove PAX devices in favor of point-of-sale equipment manufactured by two competitors, U.S.-based Verifone and France’s Ingenico, according to a message reviewed by Bloomberg News.

In a statement, the company confirmed that it no longer deploys PAX point-of-sale devices “because it did not receive satisfactory answers from PAX regarding its POS devices connecting to websites not listed in their supplied documentation,” according to a spokesperson. “While we have no evidence that data running through PAX POS devices has been compromised, we have been working directly with clients to replace those devices with other options at no cost to them and with as little disruption to their business as possible.”

The spokesperson said fewer than 5% of Worldpay clients currently use PAX point-of-sale devices. FIS’s shares were down 6.6% Wednesday afternoon in New York.

The decision came prior to news of a federal investigation of PAX Technology and a raid of its Florida locations that has prompted inquiries from customers about the security of devices that they have relied on for making and receiving payments.

PAX Global Technology provides payment terminals that are used to process millions of transactions in stores worldwide. According to the company, it has supplied 57 million terminals to more than 120 countries. Worldpay provides the infrastructure that consumers use to pay for services online or to pay for food in a grocery store. In 2019, it was acquired by Fidelity National Information Services Inc. in $35.5 billion deal that was the biggest ever in the international payments sector.

A PAX representative didn’t respond to a request for comment. PAX Global Technology’s corporate headquarters is in Hong Kong, and its operational headquarters is in Shenzhen, China, according to its website.

Verifone couldn’t immediately be reached for comment, nor could Ingenico, which was acquired last year by Worldline.

On Tuesday, local media in Florida reported that agents with the Federal Bureau of Investigation and the Department of Homeland Security had carried out a court-authorized search of Jacksonville locations for company unit PAX Technology Inc. PAX Global Technology plunged 43% in Hong Kong on Wednesday after media reports of the raid at its U.S. locations.

In a statement, the FBI said it executed the search warrant as part of an investigation with Homeland Security Investigations, Customs and Border Protection, Department of Commerce and Naval Criminal Investigative Services, and with the support of the Jacksonville Sheriff’s Office. “We are not aware of any physical threat to the surrounding community related to this search,” according to the statement. “The investigation remains active and ongoing and no additional information can be confirmed at this time.”

A spokesperson for the U.K.’s National Cyber Security Centre said, “We are aware of these reports and have been working closely with relevant partners in relation to them.”

Independent cybersecurity journalist Brian Krebs reported that British and American security agencies began investigating PAX Technology after an unnamed U.S. payment processor noticed “unusual network packets” originating from the company’s payment terminals. According to Krebs’s report, the FBI’s raid on Tuesday was also linked to reports that PAX’s systems may be involved in cyberattacks on U.S. and E.U. organizations and suspicions that its terminals had been used as a “command and control” staging point for conducting hacks and collecting information.

Worldpay didn’t give a reason for the decision in the Oct. 8 note. But two people working for a U.S. payments processing firm that partners with Worldpay said they were informed by executives that the decision was made due to security concerns about PAX devices. The people spoke on condition of anonymity to discuss a confidential matter.

On Oct. 19, PAX Technology Inc. President and Chief Executive Officer Andy Chau fired back. In a message reviewed by Bloomberg News, he issued a response to Worldpay customers, condemning what he called “confusing and incorrect information regarding the reasons for the discontinuance.”

“PAX would like to assure all customers that we stand behind the security of our products and services,” said Chau. “Every PAX device goes through stringent internal and external testing and certifications to ensure payment data is protected in accordance with industry security standards. Our policies are designed to ensure that information sent through PAX devices is transmitted securely only to the intended recipients.”

A spokesperson for Global Payments Inc., a Pax Technology customer, said in a message: “We are aware of the reports and have initiated an investigation. This has no impact on our processing networks and our business is operating normally.”