Nilson Report

Issue 1208 | Nov 2021


Companies featured in this issue include:

8 Largest Credit Card Portfolios Worldwide

Market Shares for Top Issuing Countries Ranked by Outstandings 2020

Credit Card Outstandings by Region—2010 through 2020

150 Largest Credit Card Portfolios Worldwide

15 Largest Maestro Issuers Ranked by Purchase Volume

10 Top Issuers in Latin American Ranked by Purchase Volume

Top 50 General Purpose Card Issuers in Latin America

Top 50 Credit Card Issuers in Latin America

Top 50 Debit Card Issuers in Latin America

Publicly Traded Companies in Payments

Latin America’s Largest Card Issuers

The 50 largest credit card and debit card issuers in Latin America in 2020 are listed on pages 10 and 11. The 5 largest are listed here.

1. Itau Unibanco, Brazil
$74.88 billion purchase volume
2. Banco Bradesco, Brazil
$36.34 billion purchase volume
3. Banco Santander, Brazil
$31.01 billion purchase volume
4. Banco do Brasil, Brazil
$29.32 billion purchase volume
5. BBVA, Mexico
$14.32 billion purchase volume

Full access to Latin America’s Largest Card Issuers results is available when you subscribe to the Nilson Report.



Pax Technology Investigated in the U.S.

Publicly traded Pax Technology is the fifth largest manufacturer worldwide of POS terminals. Last month, the United States Department of the Treasury’s Office of Cybersecurity & Critical Infrastructure Protection (OCCIP) was made aware that some Pax terminals deployed in the U.S. potentially posed a risk to the confidentiality of customer data. 

OCCIP was informed by “Treasury partners” that laboratory tests indicated the Android-based devices transmitted encrypted data to unknown domains in China and that this data was considered to be superfluous to normal payment transaction processing. The transmissions in question “were larger in size, count and frequency than payment transactions.” 

In a letter dated November 2, 2021, OCCIP determined that the terminal behavior presented risks to the confidentiality of customer data. However, it also stated there is a “low severity threat to the U.S. financial sector” and it does not believe “the terminals present unique risks to data integrity or service availability or network security.” 

While Pax maintains remote access to its devices (as other top POS terminal manufacturers do to theirs), OCCIP “is not aware of any attempt by Pax to use their devices for disruptive or destructive purposes.”

Pax Technology has requested more information from OCCIP regarding the basis of the letter, including the claim of purported superfluous transmissions. As of November 15, it has not received a reply. 

The Pax terminals were connected to the servers of application providers the company identified in documentation made available to investigators. However, if one or more of those servers utilized a dynamic internet protocol address, which is common in the acquiring industry, it is possible Pax would not have that IP address in its documentation.

Possibly, OCCIP was not aware that transactions facilitated by POS terminals often include applications for geolocation, loyalty and telemetry data, which can involve larger data packets than transmissions of payment transactions. 

On October 26, officers of the Federal Bureau of Investigation (FBI) and agents of U.S. Customs and Border Protection (CBP) executed a court-authorized search warrant to seize certain items at the Pax office and warehouse in Florida where employees were also interviewed. 

The Pax Technology Board of Directors has not been made aware of any charges having been filed. Trading in Pax shares on the Hong Kong stock exchange, which were halted on October 27, resumed two days later. Normal operations of Pax U.S. have resumed.

The action by the FBI and CBP suggest a cybersecurity concern. If malware was downloaded to Pax devices from a criminal or state-run enterprise, it did not likely reside on the payment side of the Android operating system. PCI DSS certification is expected to have provided needed protection. Pax has not been informed that any of its devices have been compromised by malware or malicious files.

If malware had infiltrated the nonpayment applications, the aim could have been getting inside a company that deployed the terminals to gather information that had nothing to do with payments. 

It is not known if U.S. law enforcement advised processors about what it believed was questionable activity from Pax terminals or if processors informed U.S. law enforcement. Last month, one processor, FIS’s Worldpay, decided to replace Pax terminals with Verifone and Ingenico devices. However, it is not a large replacement. Pax says that in 2020 it realized approximately $1.8 million in revenue from FIS and Worldpay. 

No other customer of Pax has taken an action similar to that of FIS/Worldpay. At least one customer, Canada-based Moneris, tested its Pax terminals and software internally and, in conjunction with Pax, concluded that the PCI DSS compliant devices were not affected by security issues identified in the OCCIP letter.

Acquirers with larger installed bases of Pax devices are not likely to swap out terminals this close to the holiday shopping season. Replacement would also be complicated by a lack of inventory owing to the chip shortage.

© Copyright 2022 Nilson Report

You have 1 free articles remaining. Subscribe today. View Subscription Offer
New subscribers receive over 130 articles in the 22 issues published each year,
plus the last five years of issues (that's over 1,200 articles) on a searchable flash drive.