Chinese payment terminal company searched by the FBI

The FBI and other US agencies raided the Florida premises used by Chinese payment terminal provider Pax Technology.

The research had been “in support of a federal investigation,” the FBI said.

US media reports suggest it was prompted by concerns about the safety of Pax Technology products.

The company said no wrongdoing was brought forward. “Pax Technology takes security very seriously,” he said.

“As always, Pax Technology is actively monitoring their environment for possible threats.

“We remain committed to providing secure, quality software systems and solutions.”

“Pax Technology is not aware of any illegal conduct by you or your employees and is hiring legal counsel to help them learn more about the events leading up to the investigation.”

Founded in 2001, Pax claims to have delivered over 57 million terminals to more than 120 countries around the world.

Pax technology is used extensively in the UK – on its blog, the company notes Prime Minister Boris Johnson used one of its terminals to make a donation to charity.

An FBI official told BBC News that he had raided three facilities in Jacksonville, Florida.

“The FBI Jacksonville Division, in conjunction with Homeland Security Investigations, Customs and Border Protection, the Department of Commerce and Naval Criminal Investigation Services, and with support from the Jacksonville Sheriff’s Office, conducted a search cleared by the court in support of a federal investigation, “he said.

“The investigation remains active and ongoing and no further information can be confirmed at the moment.”

The news hit the company’s shares hard: Pax Global Technology fell more than 43% on Wednesday in trading in Hong Kong.

In a letter to UK customers, obtained by BBC News, the company’s UK office said: “In summary, there are no safety concerns.

“Pax UK can confirm that there have been no security breaches, no data compromise and no risk of compromise.

“No confidential customer information or transaction data was sent from any Pax device sold in the US or UK.”

Hong Kong’s Pax Technology Corporate will release a “global response by the end of this week,” he said.

Technology reporter Brian Krebs said a reliable source of his had claimed that a major US payment processor had claimed “that Pax terminals were used both as a” dropper “of malware – a repository for malicious files – and as” command and control “positions for staging. of attacks and information gathering “.

The source further stated that the British security service MI5 was also involved in the investigation.

BBC News was unable to verify these claims.

The letter to UK customers said: “MI5 has not been in contact with anyone at Pax.”

In a Frequently Asked Questions (FAQ) document accompanying the letter, the company added: “There are no known or reported vulnerabilities in Pax terminals.”

The National Cyber ​​Security Center told BBC News that it is aware of the reports “and has worked closely with relevant partners in relation to them”.

Worldpay by FIS, a leading payment processing company, began removing Pax terminals earlier this month in a first move reported by Bloomberg News.

It no longer deployed Pax point-of-sale (POS) devices, “because it did not receive satisfactory responses from Pax regarding its POS devices connecting to websites not listed in the documentation provided,” FIS said.

But he had “no evidence that the data running through the Pax POS devices has been compromised.”

The company declined to provide further information.

And it is not clear whether the FBI investigation is connected to the issues that led Worldpay to withdraw the terminals.

But the letter from Pax UK to customers said, “This has to do with FIS / Worldpay.”

And the FAQ document said, “Concerns about the security of our devices seem to be rooted in a misunderstanding of our Android-based technology.

“Advanced features require connectivity with multiple networks, which can lead to the false impression that an Android-based device is less secure.”