Sooz Jewels home page
Blog entry about this
ORIGINAL RESPONSE FROM PROTX/SAGE PAY TO MY COMPLAINT TO WHICH I MADE NO REPLY:
Hi Sue,
Thank you for your e-mail expressing your concerns about the security of your card details on the Sage Pay system. I would like to stress that you have no need for concern.
Sage Pay collect card details via a 128-bit SSL secured payment page. We request card number, expiry dates, cardholder name and address and security code value. This information is then further encrypted to be held against the transaction details on our system before being sent to the UK acquiring banks for authorisation (over secure, offline channels). We don't store the security code (in line with Visa requirements) but we do store the card number (only in an encrypted format that none of our staff have access to).
Sage Pay secure your card details within our database using AES-256, the keys for which are held on tamper-proof hardware security modules which as stated are unavailable to Sage Pay staff.
When your details are supplied to us over SSLv3, the algorithm used is RC4, as it is for almost every major e-commerce site.
SSL generates the encryption keys it uses for RC4 by hashing (using both MD5 and SHA1), so that different sessions have unrelated keys. Also, SSL does not re-key RC4 for each packet, but uses the RC4 algorithm state from the end of one packet to begin encryption with the next packet.
The SSLv3 certificates we obtain from Verisign to secure our site can support AES-256 as the encryption algorithm, but the vast majority of customers use IE6 or below and older versions of Firefox and Netscape. Most also run on Microsoft Windows, which until Vista is released, cannot use AES in SSL encryption. At present, the vast majority of sessions will be encrypted at 128-bit, but with a strong algorithm like correctly implemented RC4, 128-bits is more than enough to ensure the security of your card details.
I can also assure you that your details would not have been gleaned from our system (which has been approved, and is regularly audited by Visa and Mastercard as one of the most secure sites in the UK).
Our systems are independently audited by the UK acquiring banks and we are compliant with the card schemes themselves (both Visa and Mastercard) under their Payment Card Industry Data Security Standard which ensures we meet very strict security guidelines (see this link for more information).
I hope this explanation helps allay your security fears. Please do not hesitate to contact us if you have any further concerns.
Kind Regards,
Claire Scott
INITIAL RESPONSE FROM THE BEAD SHOP (NOTTINGHAM) LTD
Dear Sue,
Thank you for emailing us with your concerns. We are sorry to hear that your card details have been used fradulently. Protx has recently changed it's name to Sage Pay, they are market leaders in e-commerce payments. We can assure you that your details won't have been sold by Protx/Sage Pay.
We will forward your email to Sage Pay and let you know of the response we receive, it is possible they may want to contact you directly - is this okay with you?
We would recomend that you report any fraudalent use of your card to the police, I know they don't always have time to investigate what they see as minor fraud but it is important that they are aware.
As far as how the fraudster got your details where were you when you placed your order? Was the network wired or wireless?
We wanted to email you straight away but would like to contact you by phone to discuss this further on Monday when we will be at work is there a particular time that would be convenient for you?
Yours faithfully,
Hana Glover
Director.
THIS IS MY RESPONSE TO THE BEAD SHOP (NOTTINGHAM)
I wrote to Protx at the same time I wrote to you, I have received a response from them which basically says that it’s impossible for staff to have access to credit card details. In that case, how does credit card fraud happen at all?! This is the second time this has happened to me this year.
I do not use a wireless system. After the last occurrence in July I upgraded my system, I upgraded my web browser, I upgraded my firewall, everything and still this happens again.
I am working on Monday at my stall all day selling jewellery in Cambridge. After then I am holiday.
I use the internet day in and day out, on-line shopping is how I buy pretty much everything in my life and have never had any problems until I started to buy from your company. It is TOO MUCH of a coincidence that BOTH times I had to cancel my card, it was just a few days after using your site. I will not be placing any more orders with you.
AND THEN A FURTHER E-MAIL FROM ME TO THE BEAD SHOP (NOTTINGHAM) LTD
I have had some further thoughts since writing to you this morning. The more I think about this whole matter, the crosser I get about it.
I strongly resent the inference that this is somehow my fault. In the days before I started my jewellery business I was a Webmaster with a larger Further Education college for two years and then worked for two years in System Support at a Tourism company. I am fully au fait with IT and I am sensible to the point of paranoia with my credit card details. As I have shopped in your Nottingham retail outlet on more than one occasion and know that you are a large, established business, I decided you would not use a disreputable company and entrusted them with my credit card details. I was extremely tempted to not use your company as I had never heard of Protx, I find it very hard to believe they are a market leader when none of the companies I shop with use them.
My husband also uses his card for on-line shopping on my computer and his own laptop (which is wireless) and has never had an incidence of fraud against him, but then again, he has never given Protx his card details. I am sorry that I continue to call the company Protx, you tell me that they have changed their name but nothing on any of the pages that I viewed whilst ordering mentioned Sage Pay at all. When I do some research on the internet, I believe they changed their name several months ago. So again, I feel resentful that I am somehow supposed to divine this fact using clairvoyance when nothing on the pages I used on your site - or their payment pages - mentioned Sage Pay. If they are so lax about changing their branding on their merchants websites, I am afraid this leads to me believe that they would also be lax about the security of my details.
The fact that I have only used your company twice in the last six months and both times I have had to cancel my card immediately afterwards cannot be a coincidence, surely? Put yourself in my position, would you not be extremely suspicious?
I only used your company because my regular supplier did not have a colour of 6mm bicone crystal that I needed for an urgent commission and since I was ordering from your company, thought I may as well place the rest of my monthly order with you as well. Many small jewellery businesses like myself sell using Etsy and Ebay as well as their own websites and other sites which promote hand made items. In addition, my business sells on an Art & Craft Market once a week (during the Christmas period, I am doing more days). Many on-line customers pay us using Pay Pal and so, we appreciate it when we can use the balances that build up in our accounts to buy supplies. I use my regular supplier specifically because they offer Pay Pal as a means of payment. You would do well as a business to consider offering Pay Pal at least as an alternative if you wish to continue to give Protx your confidence.
THIS IS THE BEAD SHOP NOTTINGHAM'S RESPONSE TO THE ABOVE TWO MESSAGES:
Hi Sue,
My name is Robin and I am a partner in The Bead Shop (Nottingham) Limited with Hana. Hana has asked me to look further in to this serious situation and to email you as I tend to spend more time working on our website and I am the first point of contact with Sage Pay for our company.
I fully understand your view and frustrations in this matter, I myself have been a victim of credit card fraud 3 times within the last 2 years. On the first of those occasions were internet based and the remaining times were actual physical cloning, once in a petrol station and I never found out the last time.
As you have taken time to email us about this situation I would like to cover all of the points that you have raised.
I have checked your orders on our system and as you have pointed out they are 6 months apart. Within that 6 months we have processed in excess of 7800 transactions through Sage Pay without any difficulties or problems with fraudulent transactions, which is not to say it won’t happen but is less likely to. I therefore believe that as your two transactions are so far apart and considering in that time the number of transactions that both us as a company and you as an individual have processed, this alone makes it more of an unfortunate coincidence than a suspicious incidence, unless of course you are being targeted. This in itself sounds more Hollywood than reality but again it could be possible but the time period is a big factor.
I also feel that even though our company has appeared near both incidences of card fraud it is too easy to be focused on the most obvious evidence that has been presented, especially as I believe this to be an unfortunate coincidence. There are too many missing links at this stage for example where had the fraudulent transactions taken place in each case and to what value? Were they internet based or at a bricks and mortar retail shop. Was there the same pattern on both occasions? I know that the bank isn’t likely to give you this information unless you press them for it, I certainly insisted with my bank when it happened to me, which helped me to determine where and how it had happened.
I am not sure which internet search engine you may use but if you Google ‘protx’ you will get approx 948,000 hits of which I looked at the first four pages and every result was about Protx/Sage Pay being a market leader etc. etc.. Sage Pay are market leaders, they have 25,000 plus companies using their online payment service. You will probably be surprised to read that PayPal is one of their customers. https://www.paypal.com/uk/cgi-bin/webscr?cmd=xpt/Marketing/general/ProtxSignUp-outside. Other companies you may have heard of that use Sage Pay are BT, Lovefilm, Graze & the ethical superstore. These are the ones that I use regularly.
PayPal is not suitable at present for us as it doesn’t provide the same level of fraud monitoring. For example Sage Pay looks at the cardholders address and checks the number of incidences of fraud there it also checks the card’s registered address, postcode and CVS number against the issuing records whereas PayPal just tells you whether the address is verified or not. As a consumer Hana dislikes PayPal as although they imply that you are covered should anything go wrong with your transaction when you look into the small print you are only covered as long as the trader has money in their PayPal account whereas if you pay on credit card (subject to a minimum transaction value) you are covered.
I understand that the evidence that you have provided makes us and Sage Pay look very much the guilty parties however there are many, many ways that card fraud happens, as I am sure you are becoming more and more aware. Since your initial email we have had our site tested by McAfee for any vulnerabilities and I am pleased to report that no vulnerabilities were found.
I would like to make two apologies, the first Hana wanted me to convey that she did not intend to insinuate that any of this matter is your fault, you are the victim of card fraud and therefore blameless. Hana’s question about wireless/wired networks is usually the first question asked when talking internet security. Secondly I would like to apologise for our delay in changing the Protx logo’s for Sage Pay. As we do not use the final checkout pages regularly ourselves these things can be and have been missed. We have now updated errors, thank you for bringing them to our attention.
I hope that this will have helped to restore some faith in us and Sage Pay concerning card security as this is very important to us. Although we cannot supply any definite answers, we are happy to help wherever we can and I certainly think it is a good idea to report this to the police and to chase your card issuer. If the card issuer had any suspicions on us or Sage Pay then we would have known about it by now. If you do find out more information then I would appreciate it if you would let me know.
Thank you for your time and I hope this will not stop you enjoying Christmas this year.
Robin
www.mailorder-beads.co.uk
The Bead Shop (Nottingham) Limited
I DID START TO COMPOSE THE FOLLOWING RESPONSE TO ROBIN OF THE BEAD SHOP (NOTTINGHAM) BUT THOUGHT THE BETTER OF SENDING IT, I JUST WANT TO PUT THIS BEHIND ME AND GET ON WITH MY LIFE!!!
I'm pretty sure it must be an on-line transaction that has caused me to have to cancel my credit card, I tend not to use my card in shops or ever at an ATM as I explained in my earlier e-mail to Hana. I use cash most of the time, I rarely venture into shops with my cards as I don't have a car, I live 2 miles from the nearest shops and would have to walk or cycle along a busy road (so I don't) to get to them. As my business is cash based, I haven't had to withdraw money from an ATM for years. My husband does occasionally but it isn't his card that had to be cancelled. The only time I am in a shop is on a Saturday when manning my stall and I never take my cards onto the market. I have only a cash float in a money belt.
LoveFilm is the only company in your list that I also use. However, they do not display the Sage Pay logo and when I recently had to change my card details, it was processed on LoveFilm's pages not Sage Pay's so I would not have heard of them due to this.
Everyone in the business of providing secure credit card processing claims to be the market leader. Plucking one out of the air that I have heard of, if I Google WorldPay for example (I am not saying they are any better or any worse than SagePay), you get 2,090,000 responses (more than Protx), checking the first four pages - surprise, surprise, I find the majority spout on about how THEY are the market leader. Another I have heard of is SecPay but they seem to be called something else now and this (now) leads me to be suspicious of them also.
If you Google "Protx problem" as a search term, the internet is littered with dissatisfied retailers complaining of outages (August 2007 and April 2008) with transactions on retailers' web sites being unable to be processed due to problems at Protx. I wonder if that's why they changed their name, to avoid the bad reputation.
The page that you link to does not lead me to believe that PayPal is a customer of Protx, just that they are acting in partnership with Protx to enable PayPal to be offered as an alternative payment system. However, this page: http://www.sagepay.com/developers/administration_manual/setting_up_paypal.asp leads me to believe that you could add PayPal to your website if you wished to retain my business. However, I do understand personal dislike may influence Hana to not want to do this and I respect her decision.
The reason I like to pay by PayPal is because I don't have to enter my credit card details each time. I realise there is a risk in that PayPal store my details and I have to trust that they keep them secure but I have had a PayPal account for so long that when I opened the account, which was way back in the days when there hadn't been a single case of on-line credit card fraud (according to Which.Net's online forums at the time - I am member of the Consumers Association). What it does do when they store credit card details is that it can be traced to them if their security is breached and they have to take responsibility for it. Also, my encrypted details aren't floating about in cyberspace waiting for someone to intercept them time after time.
PayPal may not have fraud monitoring to the level you think is required but what is the point of you requiring monitoring if you do nothing when a possible fraud is reported but respond that it's impossible and a coincidence?
I appreciate your apology.