US mobile payments outfit Charge Anywhere has admitted that malware has been lurking on its network for five years, putting unencrypted payment card data at risk.
The firm says that, after being asked to investigate fraudulent charges on cards, in September it discovered that crooks gained access to its network and installed the malware, which was used to capture segments of outbound traffic.
"Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorised person to capture and ultimately then gain access to plain text payment card transaction authorisation requests," says a statement.
These authorisation requests included names, account numbers, expiration dates and verification codes.
Charge Anywhere says that, although the person behind the attack had the ability to capture the network traffic as far back as November 2009, its investigations have only found evidence of data being taken between August and September this year.
The company has posted a searchable list of merchants that may have been affected and is advising people who may have shopped at them to check their account statements and inform their banks if they notice any unusual transactions.
It insists that the malware has been removed and that the problem did not affect any system or device at merchant locations, nor did it affect the systems of any ISO, processor, or other service providers.