Hypercom Pulls Plug on SmartPayments Software Amid Security Flaws

Security weaknesses have caused Hypercom Corp. to pull the plug on a software system that enables gateways and merchants using personal computers as virtual terminals to connect to payment-processing services.

Scottsdale, Ariz.-based Hypercom sent a notice on July 15 to users of its SmartPayments Savannah Server and related products that it would no longer support them and that they were entering “end of life” status. Hypercom said that it had been “notified of a customer breach” and would refund payments to purchasers who bought the products after April 1. Hypercom also said it would refund annual support fees prorated from April 1.

“Hypercom has found that these applications could be compromised due to identified critical vulnerabilities,” said the letter. The letter urged customers to find alternatives, with Hypercom supplying a list of vendors.

The letter did not give any details about either the vulnerabilities or the breach, nor would a Hypercom spokesperson. The spokesperson did tell Digital Transactions News that discovery of the breach prompted Hypercom to immediately have the products reviewed by a security assessor, whose findings led Hypercom to discontinue the products. “We are strongly encouraging customers using these apps to stop using them and migrate to alternatives as soon as possible,” the spokesperson says.

A source adds that the PCI Security Standards Council informed Hypercom that the applications had lost their listing as being compliant with the Payment Application Data-Security Standard (PA-DSS), the PCI Council’s set of security rules for card-processing software.

Besides SmartPayments Savannah Server, the other affected products are SmartPayments Savannah Client, Smart Payments Savannah Client QuickBooks Plug-In, and SmartPayments Savannah Client Retail Management System Plug-In.

It is unclear how many customers are affected. Alan Forgione, an account executive at ACI Worldwide Inc., estimates the server products, which are used by gateways, might have 100 to 200 customers, and the client versions, which are used by merchants directly, might have perhaps 500. The merchants will have a relatively easy time quickly finding alternative gateway services, but the job will be tougher for independent sales organizations and gateways using the server versions. “They may have anywhere from 10,000 to 40,000 merchants running through this software,” Forgione says.

Forgione says ACI Worldwide is on Hypercom’s list of alternative vendors, and he’s been contacting gateways about the issue. “Most of them are still in a state of shock,” he says.

Hypercom acquired the SmartPayments offerings with its December 2007 acquisition of TPI Software LLC for $8.5 million in cash. That acquisition was part of a general trend among point-of-sale terminal makers to expand into software-based services.

The Hypercom spokesperson says the company is working to reassign the 13 people in its SmartPayments unit. The loss of the products won’t have a material effect on Hypercom’s revenues, he adds.