A raft of Australian and New Zealand financial services companies are monitoring an FBI investigation into Shenzhen-based merchant terminal provider PAX Technology after leading global payments provider Worldpay terminated a supply arrangement citing cybersecurity concerns.
FBI and US Homeland Security investigators raided PAX’s Florida office last Wednesday after at least one US payments company – alleged to have been Worldpay - reported “unusual network packets” originating from PAX Android terminals and a platform known as the PAXSTORE.
The PAXSTORE is an online ecosystem managed by PAX that connects over 2.5 million merchant terminals and more than 180 marketplaces around the world.
US media reports suggest that law enforcement agencies are concerned that the PAX Android terminals and online marketplace may have been used to conduct cyber attacks on American businesses.
While Banking Day has identified six Australian and New Zealand companies that use PAX merchant terminals, most are not linked to the international ecosystem (the PAXSTORE) operated by PAX.
Moreover, most of the PAX terminals used in Australia are standard merchant terminals rather than Android devices.
However, the controversy stemming from the US investigation could potentially disrupt the strategic plans of companies such as A2B Limited (formerly Cabcharge), which earlier this year told investors it planned to roll out Android payments devices before the end of the year through a partnership with PAX.
Banking Day yesterday submitted a list of questions to A2B regarding its alliance with PAX, but the company did not respond before our production deadline.
In a presentation to investors in February, A2B said that it was preparing to launch PAX A920 Android payment devices in the December half.
“Android payment terminals are gaining market share and relevance due to their ability to host apps in addition to payment. For example, an Android tablet can host a point-of-sale app alongside a payment application and a loyalty application.
“This multi-app capability has benefits in the mobility industry.
“Partnering with PAX provides an opportunity to create a competitive advantage on Android devices by developing our own software and owning the innovation roadmap.”
Another local payments player facing potential issues is the Sydney-based Datamesh Group which provides a payments gateway service and consulting services to merchants.
Datamesh merchants such as contactless public transport ticketing service - Transportme - recently became the first Australian merchants to deploy PAX Android point-of-sale devices.
“Transportme chose PAX devices, through Datamesh, which allows Australian passengers to pay for tickets onboard buses, using cards or smartphones via its Android-based payment terminal PAX A920 SmartPOS,” Transportme reported on its website in August.
Banking Day has put questions to Datamesh regarding whether the US investigation is likely to result in a change in the company’s deployment of PAX terminals.
Woolworths is another payments player that might be impacted by the controversy.
In June the country’s largest retailer launched its merchant servicing platform - Wpay – for which it is believed to have been considering PAX as a terminal provider.
"We have no PAX terminals in our fleet, or with our partner merchants,” a Woolworths spokesperson said.
“We're aware of the situation and will continue to monitor it closely."
Smartpay, a rapidly growing merchant payments business with operations in New Zealand and Australia last night confirmed that its standard issue PAX terminals were not exposed to the cybersecurity issues raised in the US.
“We are aware of reports of an FBI investigation of PAX Technology in Florida U.S. resulting from a major U.S. payment processor (Worldpay) asking questions about unusual network packets originating from PAX terminals,” said a Smartpay spokesperson.
“We have been advised by PAX that the questions raised by Worldpay related to communications between the PAX Android terminal and the PAXSTORE.
“Smartpay does not use and has never deployed PAX Android payment terminals or PAXSTORE to any customers in Australia or New Zealand.
“Smartpay develops, maintains and deploys its own proprietary payment application software and has partners providing secure communication networks for the management of terminals into the Australian and New Zealand markets.”
A spokesperson for Bendigo Bank said the company had issued standard PAX terminals to merchants in the past but they were now considered a legacy product after the recent move to outsource merchant acquiring functions to Tyro Payments.