Chinese payment terminal manufacturer PAX Global is in the crosshairs of the US authorities, who suspect it of transferring confidential customer data to China. Behind this case lies the question of the different technologies used by players in this market: are they all secure?
PAX payment terminals: customer data transferred to China
At the end of 2020, PAX Global signed a partnership with Crédit Agricole, via its specialized subsidiary AVEM, aimed in particular at equipping merchants with payment terminals. But PAX Global is now under suspicion from the US authorities of illegally retrieving customer data via its terminals, and transferring it to China.
This case is not unlike that of the Target retail chain in 2013. Target was forced to reveal the hacking of tens of millions of bank cards used in its stores. This massive violation of customers' PIN codes led to a considerable drop in the chain's sales.
Crédit Agricole, whose reputation could be tarnished by the investigation targeting PAX Global, immediately put things into perspective, pointing out that the payment terminals offered to its merchant customers did not use the same technology as that used by PAX.
Unlike the "classic" payment terminals offered by Crédit Agricole, which operate without a chip, with Linux, and do not store geolocation data, PAX Global's terminals are SoftPos, using the Android operating system.
Data security at the heart of a competitive market
These new-generation terminals use the same technology as a smartphone, enabling them to offer different payment services, just like the applications installed on an Android mobile.
Crédit Agricole is not the only player to take an interest in this technology, which sets it apart from the competition in a booming sector. Other banks, such as Société Générale, BNP Paribas and Banque Postale, are shareholders in the AVEM subsidiary, while several fintechs are also using the Android payment terminals offered by PAX Global.
However, according to some specialists, these new-generation payment terminals could be subject to the same cyberattacks as smartphones. At present, however, the security level of PAX terminals, which have been awarded the same certifications as conventional payment terminals, is not in question.
However, in a highly competitive market, the slightest security flaw, whether proven or merely suspected, can have serious consequences for a company's credibility. In the U.S., payment specialist WorldPay has already announced that PAX terminals will no longer be distributed. They will be replaced by conventional payment terminals from two of PAX's competitors, Ingenico and Verifone.