PAX POS Cyberattacks: Are Your Payment Terminals Compromised?
First reported by WOKV.com, agents with the FBI and DHS raided the Florida warehouse of PAX Technology. The point of sale technology giant is linked to reports of possible cyberattacks on U.S. and E.U. organizations where the technology is used.
Along with ongoing global computer chip shortages, the timing of the investigation is particularly concerning for retailers and payment processing companies preparing for the holiday season.
FBI Raids PAX, Where POS Devices Are Potentially Compromised
KrebsOnSecurity offered further detail, saying they “heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.”
The source revealed that the PAX terminals were being used both as a central location for malicious files (also known as malware “droppers”). This allows payment technology to act as a staging ground for large-scale cyberattacks focused on collecting information such as consumer credit card data.
“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”
Major financial providers (including FIS Worldpay as reported by Bloomberg) have already begun pulling PAX terminals from their payment infrastructure.
FIS Worldpay confirmed that it no longer deploys PAX point-of-sale devices “because it did not receive satisfactory answers from PAX regarding its POS devices connecting to websites not listed in their supplied documentation.”
“While we have no evidence that data running through PAX POS devices has been compromised, we have been working directly with clients to replace those devices with other options at no cost to them and with as little disruption to their business as possible,” FIS Worldpay states. “The spokesperson said fewer than 5% of Worldpay clients currently use PAX point-of-sale devices.”
While specific details about the strange network activity that prompted federal investigators are unknown, the investigation remains active and ongoing.
It’s worth noting that POS terminals and the technology that supports them are often a primary target for malware and criminal attacks.
It is not uncommon for payment terminals to be compromised remotely by malicious software and made to collect and transmit stolen information. Notable point of sale breaches include Heartland Payment Systems (100 million payment cards affected in 2008) as well as the Target and Home Depot thefts of roughly another 100 million credit cards in 2014.
PAX Technology’s Official Response to Cyberattacks
The Shenzhen-based company is quoted in Reuters with the following statement:
“As far as the board is aware … there has neither been any reported cyberattack incidents nor cyber attack complaints, including any breach of security protocols, against PAX products and services anywhere in the world.”
PAX’s statement to the stock exchange in Hong Kong as well as a press release on the company’s blog provide further perspective. Trading of the company’s shares resumed on November 1 after a temporary halt.
At Barcodes, Inc., cybersecurity is our primary concern when we procure and deploy POS technology. We encourage you to contact us if you have any questions or if you’re interested in replacing your PAX technology.
MePOS Pro: Exactly the Way You Want It
The MePOS Pro Point of Sale Terminal is multi-functional, integrable, customizable, flexible, and exactly the way you want it!
1. Multi- functional
With advanced designs, the tablet based Point of Sale terminal with an integrated printer can quickly convert to a kiosk or mobile POS instrument.
2. Integrable
The MePOS Connect Software Development Kit allow easy integration with leading point of sale software solutions.
3. Customizable
The compact and stylish design allow you to customize your terminal in solid colors or graphics to promote your brand and give you the option to refresh as often as you like.
4. Flexible
The capability to just remove your tablet and payment device to create MePOS Mobile, that allows workers to engage with customers and process transactions anywhere.
With a great deal of transactions taken everyday, you need a system that can keep up with the rate of service and demands of customers. The MePOS Pro can improve all that from the sleek design, to battery life, and accessibility. This change will definitely make an impact and evolve with your business.
If you have any questions regarding the compatibility with your tablet and payment devices, interested in a demo or a quote, please contact our dedicated account managers and we will be able to help you find a solution.
Top 10 Reasons to Mount Your Payment Device
ENS is the world leader in security stand mounts for payment devices. Mount your payment device today and enjoy peace-of-mind knowing that you and your customer’s valuable data have an additional level of physical protection.
#1 SECURITY
Mounting your payment device protects it against tampering and theft. Locking stands, custom security hardware, magnetic security features, along with data port covering back plates can all be utilized to protect you and your customer’s valuable data.
#2 ADA COMPLIANCE
Stands that tilt up a full 90° make it so much easier for wheel chair customers to access the device. Mounting the stand helps you meet ADA guidelines.
#3 PCI COMPLIANCE
Best practices of PCI compliance dictates that a payment device be secure. Securely mounting your payment device on a stand provides a physical barrier against tampering.
#4 EXTENDS DEVICE LIFESPAN
Mounting your payment device to a stand increases its life cycle, protects against accidental dropping and reduces tampering.
#5 ERGONOMICS & USABILITY
ENS payment terminal stands are designed to enhance the human interface with technology and optimize ergonomics for you and your users. A 180° swivel rotation allows for easy viewing between the customer and the associate
#6 PROTECT YOUR INVESTMENT
Glue pad systems allow you to mount to glass, granite or other surfaces without harming the surface. Does it need to move around the counter top and be stowed away at the end of the day? No problem! ENS has a weighted base with a rubber pad.
#7 CABLE MANAGEMENT
No more messy cables. Stands come with cable clips and a center-hole base to neatly route and organize the power and data cables.
#8 AESTHETICS
Our designs are created with form and function in mind. Low profile stands practically disappear underneath the payment devices while incorporating clean, neat and pleasing designs.
#9 REDUCED MAINTENANCE
Install the stand and forget it. No metal on metal contact. Easily field adjustable tension for tilt and swivel means you are in control.
#10 CUSTOM SOLUTIONS
Trust ENS to solve your most difficult technology mounting problem. With more than 100 years of combined engineering expertise, our team of experts will work with you through our simple four step process to Discover, Design, Develop and Deliver a solution for you on time and within your budget.
Don’t Let EMV Chargebacks Cut into Your Profits
With EMV in full swing in the U.S., chargebacks have been on the rise – especially for restaurateurs. Following a successful co-hosted webinar with National Restaurant Association on the basics of chargeback management and best practices last month, we discovered a second installment was in high demand.
The webinar took a deeper dive into the rules of EMV and chargebacks and what you can do to avoid them. If you weren’t able to join us for the presentation, we’ve summarized the high points here to help you better understand chargebacks and the liability shift.
Why EMV, Why Now?
Protecting yourself against counterfeit fraud is one of the main benefits to implement EMV because it’s virtually impossible to recreate the chip. The October 1, 2015 shift has caused some serious headaches, but the ultimate goal is to fix the payment ecosystem by heightening card security. There is, however, a glitch—if your equipment isn’t EMV-compatible, then use of a fraudulent EMV card can go undetected.
3 Reasons to Upgrade to EMV Now
With the official October 1st EMV compliance date behind us, there are still many retailers that have not made the needed changes to properly process EMV enabled cards. Almost all banks and credit card companies have issued chip-embedded cards to their customers in time for the busy holiday shopping season so it really begs the question what are the real advantages to making the EMV switch.
- Fighting Fraud – Chip cards generate a one-time code with every transaction making it nearly impossible to create counterfeit cards for use in stores.As the EU has completed its migration to EMV acceptance, the region has seen an 80% reduction in credit card fraud while the US has witnessed a 47% increase
- Lower Chargebacks – Beginning October 1, 2015, new network rules mean merchants are more likely to be financially liable for fraud, lost/stolen transactions at their in-store locations without EMV compliance. In 2015 that liability in the United States is estimated to total more than $10 billion.
- Customer Peace of Mind – Customers are more than likely to shop at stores where they feel their information is safe. It only takes once to lose the customers trust and it is very difficult to get it back.
Two of the easiest solutions to become EMV compliant is simply upgrading your current payment terminals to EMV enabled ones like the Ingenico ISC250 and iPP350. Updating is an easy process and one of our Payment Processing specialists can help you find the right device for a hassle free update. Contact us today to get EMV compliant.
EMV Compliance and Payments Explained
If your business takes any kind of card payments then you probably have been coming across the term “EMV” quite a bit recently. If you haven’t, then it’s a good time to get educated given EMV will be changing the way payments are made and who will be held accountable for fraud in the US.
EMV enabled cards are the type that have the small smart chip on them as well as the traditional magnetic stripe. Compared to magnetic stripes, EMV cards are much more secure against fraudulent usage and copied cards.
With the October 1, 2015 EMV compliance deadline coming up, getting up to speed on how you can ensure your business isn’t going to be held accountable for fraudulent usage is a must. Barcodes, Inc has you covered with our new EMV Learning Page and the expertise to provide you will payments solutions for any budget.
Penske Eliminates PCI Compliance Risk with Advanced Payment Devices
Industry: Transportation & Logistics
Application: Payment Processing & Asset Management
Barcodes Inc’s value added services teams deploy, maintain, and service thousands of payment devices for Penske’s nation-wide rental network.
Executive Summary
Penske Truck Rental was looking to eliminate PCI compliance risk within their business and reduce the number of lost or ineffective devices by implementing a revamped hardware and services platform across the 3,300 corporate and agent rental locations. Due to the complexity of the Penske rental network and number of devices deployed, Penske wanted a systematic way to track and manage the devices, as well as deliver repair and spare pool management services. In addition, Penske required a solution provider to develop software which would reduce the need for paper and allow electronic signature capture as well as integrate the terminals with the existing Penske backend systems. Barcodes Inc, through coordination with a software provider, was able to deliver the solution and work with Penske as an ongoing value added partner.
Ingenico and FreedomPay Power the Most Secure Transactions With EMV & NFC Capabilities
Ingenico and FreedomPay have announced their partnership and the certification of the innovative Telium2 series point-of-sale (POS) payment devices. The integration extends to Ingenico’s retail base application (RBA) and its innovative hardware, including iSC250 Signature Capture terminal and iPP350 PIN Pad devices. The newly supported Ingenico RBA software-powered devices will accept magnetic stripe and EMV chip-card payments, as well as NFC-based transactions, enabling tap-and-go mobile payments. Ingenico devices will be integrated and connect to the FreedomPay Commerce Platform, a cloud-based smart technology gateway, that supports true point-to-point encryption (P2PE), instantly reducing merchants’ scope for the Payment Card Industry Data Security Standard (PCI DSS) compliance and giving merchants a path to future payment system expansion.
The Retail Point of Sale Goes Mobile
Mobile point-of-sale payment terminals have experienced explosive growth over the past year. Unlike a traditional point-of-sale terminal, a mobile terminal communicates wirelessly when processing payment cards. There are different types of solutions in the market, but one popular type is an application within a mobile device, like a smartphone or tablet, that uses a hardware attachment to swipe payment cards.Merchants who use these solutions should remember to comply with both existing and evolving legal and card association requirements, particularly as other new payment acceptance solutions, such as integrated chip (IC) and near field communication (NFC) point-of-sale terminals, are adopted widely.
PCI Compliance Explained!
Point-of-Sale businesses are paranoid, with good reason, about protecting sensitive customer and company information. Financial institutions require that any company that stores, processes or transmits credit card information complies with the PCI-DSS (Payment Card Industry, Data Security Standards).
Companies that fail to comply are subject to fines, lawsuits, and can even be banned from processing credit cards. Even worse, companies that are breached can find themselves in the news headlines, significantly impacting goodwill with customers, partners and shareholders. Ensuring your POS system and wireless infrastructure are in compliance is crucial.
The objective of the Payment Card Industry (PCI) Security Standards is to protect cardholder data. The standards are developed and published by the PCI Security Standards Council (SSC), which consists of hundreds of industry participants who have a vested interested in reducing vulnerabilities in the card-processing ecosystem.
