Paymark has investigated a claim its new Click sales platform has been compromised with malware.
A user posted on the New Zealand section of popular web forum Reddit claiming they were trying to purchase tickets to an event through website EventsAIR, when they were redirected to a fake Microsoft website.
"As part of the payment process on Paymark Click, I ended up being sent to an Arcot website," Reddit user slashgrin wrote.
"Immediately after sending the verification SMS to my phone, the Arcot website redirected to some malware/phishing site... I immediately freaked out and wondered if my computer/browser had been somehow compromised."
But when they tried to complete the process on a different device, using a different internet connection, the same thing happened.
"It looks like Arcot has somehow been compromised, which may make Paymark Click unsafe to use right now."
- Warning as international phone scammers target Kiwis
- 'Police officer' phone scam targeting New Zealanders
Paymark Click launched just over a year ago, and allows purchases to be made online with an EFTPOS card. Most online payment services require a credit card.
Paymark spokesman Paul Brislen told Newshub that the company conducted a full review of its services following the initial report of the problem.
"We are pleased to say there is no security flaw with regard to this service," he says.
"It would appear that there is an isolated issue with a particular type of card we believe is issued overseas that could be at risk - however as this is outside Paymark’s network we will pass the information on to the bank for follow-up."
He says Paymark is grateful to the original Reddit poster for bringing the issue to the company's attention.
"We’re very glad to see it’s not a problem on our network as we take security matters very seriously at Paymark for obvious reasons."
He suggested if the problem isn't with the user's own computer, it could be originating at EventsAIR's end. Newshub has contacted Centium Software, the company behind EventsAIR, for comment.
"He was trying to use Click on a certain website, and it sounds like the website is the one throwing up the alert. I don't know for sure. The security guys are trying to recreate it at the moment."
CA Technologies, which runs the Arcot service, said it had not received reports of any issues.
Slashgrin said one of the phrases used in the fake website, 'Microsoft 360 Security Warning', only brought up one Google hit from a few days ago - so it could be a relatively new attack.