Payment gateway provider breached

New Jersey-based Charge Anywhere, whose electronic payment gateway solutions route payment transactions from merchants’ Point-of-Sale (PoS) systems to their payment processors, has announced that they have suffered a breach that may have affected payment card data from as far back as late 2009.

The company has apparently been hit with a “sophisticated attack” against its network, which resulted in malware being installed on it.

“Charge Anywhere commenced the investigation that uncovered and shut down the attack after being asked to investigate fraudulent charges that appeared on cards that had been legitimately used at certain merchants,” they shared. After discovering the malware, they removed it immediately and called in a (unnamed) computer security firm to help get to the bottom of the matter.

The investigation revealed that the malware allowed the attacker to capture segments of outbound network traffic.

“Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests,” they revealed in an official statement. “While we discovered the malware on September 22, 2014, it required extensive forensic investigative efforts to de-code it and determine its capabilities. During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified. Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009.”

The potentially compromised information could include customers’ name, account number, expiration date, and verification code included in payment card authorization requests from a number of merchants (they provided a searchable list).

The incident was limited to the Charge Anywhere network – merchants’ systems and devices, as well the systems of ISOs, processors or other service providers were unaffected by it, the company reassured, adding that they will continue to provide payment gateway services as before.

They say that they have implemented additional security measures to secure their network, but haven’t mentioned whether they will encrypt all of the data routed in the future.