PAX Computer Technology (Shenzhen) Ltd. — C8:40:52 (MA-L)

The OUI C8:40:52 is a MA-L block (the full 24-bit assignment, ~16.7M addresses spanning C8:40:52:00:00:00–C8:40:52:FF:FF:FF) registered to PAX Computer Technology (Shenzhen) Ltd., the Shenzhen-based manufacturing subsidiary of HK-listed PAX Global Technology. PAX is one of the world's largest payment-terminal makers, with tens of millions of devices fielded across retail, hospitality, and unattended self-service environments; its catalog includes Android SmartPOS units (A920Pro, A950, A80), PINpads (A35), self-service kiosks (IM25/IM30), and the Elys POS family. A device presenting this OUI should be treated as a payment terminal and segmented per PCI DSS. Two security matters bear on that posture. In October 2021 the FBI, DHS/CBP, and NCIS executed a court-authorized search of PAX's Jacksonville, Florida warehouse after a major US processor reported anomalous network packets from PAX terminals; FIS Worldpay subsequently stopped deploying the devices, PAX attributed the traffic to a third-party geolocation service, and no public criminal resolution has been confirmed. Separately, STM Cyber disclosed six vulnerabilities in PAX Android terminals in 2023 (CVE-2023-4818, -42133 through -42137), several enabling root with physical access; all were patched by PAX in November 2023. Note that the "23 June 2022" registration date reported by third-party lookup sites is a database-ingestion artifact, not an IEEE-published fact — IEEE publishes no per-OUI registration dates.

IEEE assignment

C8:40:52 → PAX Computer Technology (Shenzhen) Ltd. [Confirmed] — IEEE MA-L (enrichment/registries/oui.csv line 475); maclookup.app/macaddress/c84052

Normalized OUI

C84052 [Confirmed] — IEEE MA-L (oui.csv line 475)

Registry / block size

MA-L (24-bit OUI; ~16,777,216 addresses, range C8:40:52:00:00:00–C8:40:52:FF:FF:FF) [Confirmed] — oui.csv line 475; maclookup.app/macaddress/c84052/mac-address-details

HQ / registry address

4/F, No.3 Building, Software Park, Second Central Science-Tech Road, High-Tech Zone, Shenzhen, Guangdong 518057, CN [Confirmed] — oui.csv line 475 (corroborated by maclookup.app/macaddress/c84052)

Country

CN (China) [Confirmed] — oui.csv line 475

Company status

active [Confirmed] — paxtechnology.com, pax.us

Device types

payment terminals — Android SmartPOS, PINpads, countertop terminals, mobile POS, unattended self-service kiosks [Confirmed] — paxtechnology.com/all-pax-terminals, pax.us

Notable products

A920Pro, A950, A80, A35 PINpad, IM25/IM30 kiosks, Elys POS family [Confirmed] — paxtechnology.com/all-pax-terminals

Registration date

Unknown — IEEE publishes NO assignment/registration dates for OUI/MA-L blocks; the "23 June 2022" reported by maclookup.app is a third-party database-ingestion artifact, not an IEEE fact, and the cached oui.csv has no date column [Unknown] — maclookup.app/macaddress/c84052

Related entities

PAX Global Technology (HK-listed parent); PAX Technology Inc. (US entity, Jacksonville FL) [Confirmed] — paxglobal.com.hk, pax.us

Security context

2021 FBI/DHS warehouse search over anomalous terminal traffic (no public criminal resolution confirmed; FIS Worldpay stopped deploying PAX devices; PAX cited third-party geolocation traffic); 2023 STM Cyber disclosure of six CVEs (CVE-2023-4818, -42133, -42134, -42135, -42136, -42137), several root-capable with physical access, all patched Nov 2023 [Confirmed] — krebsonsecurity.com/2021/10/fbi-raids-chinese-point-of-sale-giant-pax-technology/; securityweek.com/vulnerabilities-expose-pax-payment-terminals-to-hacking/; thehackernews.com/2024/01/pax-pos-terminal-flaw-could-allow.html

Analyst note

Treat C8:40:52 devices as payment terminals warranting PCI DSS network segmentation; the FBI incident raises supply-chain risk flags for high-security environments even absent a public criminal outcome.