CHARGE Anywhere Provides Notice of Payment Card Incident

News provided by

Dec 09, 2014, 12:01 ET

SOUTH PLAINFIELD, N.J., Dec. 9, 2014 /PRNewswire/ -- CHARGE Anywhere, LLC is a provider of electronic payment gateway solutions to merchants. Our solutions route payment transactions from merchants' point-of-sale systems to their payment processors. Maintaining the security of payment card data provided to us by our customers is an absolute priority. Unfortunately, criminals have become good at evading security measures to steal payment card data from retailers and their service providers. CHARGE Anywhere recently uncovered a sophisticated attack against its network. The attack has been completely shut down and fully investigated.

CHARGE Anywhere commenced the investigation that uncovered and shut down the attack after being asked to investigate fraudulent charges that appeared on cards that had been legitimately used at certain merchants. CHARGE Anywhere's investigation found malware that had not been previously detected by any anti-virus program. The malware was immediately removed and we engaged a leading computer security firm to investigate how the malware was used and work with us to continue to enhance our network security measures.

The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic. Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests. While we discovered the malware on September 22, 2014, it required extensive forensic investigative efforts to de-code it and determine its capabilities. During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified. Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009.

What data may have been affected?

The information involved in this incident is the content of a payment card authorization request, which may include a cardholder name, account number, expiration date, and verification code. A searchable list of merchants who may have been affected by this incident is located here. Payment cards used at these merchants between November 5, 2009 and September 24, 2014 may have been affected although we only found evidence of actual network traffic capture from August 17, 2014 through September 24, 2014.

What should cardholders do?

Individuals who used their card at one of these merchants between November 5, 2009 and September 24, 2014 should continue to review their account statements for any unauthorized activity regularly. Contact the bank that issued your card if you see any unauthorized charges. The credit card companies typically guarantee that cardholders will not be responsible for fraudulent charges. You should also review the "More Information on Ways to Protect Yourself" that can be found on our website — http://corporate.chargeanywhere.com.

What should merchants do?

This issue did not affect any system or device at merchant locations, nor did it affect the systems of any ISO, processor, or other service providers. We have eliminated the malware from our network. Merchant transactions will be routed as usual and we will continue to provide payment gateway services.

What are we doing about this?

We completely eradicated the malware from our systems and have been working with computer security firms to further strengthen our security measures.

We have also been working with the credit card companies and processors to provide them with a list of merchants and the account numbers for cards used during the period at issue so that the banks that issued those cards can be alerted. When banks receive these alerts, they can conduct heightened monitoring of transactions to detect and prevent unauthorized charges.

We deeply regret any inconvenience this may cause you. If you have questions please call us at 888-299-1179, Monday through Friday, 9 a.m. to 9 p.m. EST.

About CHARGE Anywhere, LLC: Charge Anywhere® is a financial technology solutions company providing mobile, cloud and integrated payment applications and payment gateway solutions for enterprises, banks and payment processors. Since 2004, we have been a payment industry leader with an award-winning white-label MPOS platform, P2P encryption services, and retail POS solutions that deliver payment flexibility and security backed by deep global expertise. Our customers include large enterprises, developers, and independent sales organizations (ISOs).

To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/charge-anywhere-provides-notice-of-payment-card-incident-300006998.html

SOURCE CHARGE Anywhere, LLC