Fortnum & Mason has come under fire for asking customers to email their credit card details in order to get a refund, after an IT glitch prevented the store from delivering all of its hamper orders in time for Christmas.
One regular customer, who has still not received his delivery despite placing an order in November last year, contacted the luxury London department store to request a refund.
According to a Fortnum & Mason spokesperson, the company does not keep any payment details for data protection reasons and it asks all customers requiring a refund to give their payment details over the telephone.
However, in email correspondence that Computerworld UK has seen, a customer relations advisor at Fortnum & Mason insisted that the store would not be able to do a refund unless the customer sent their credit card details over in an email.
"I will require your card details to arrange a refund (type of card, name of the card, long number, expiry date, security number [CVV code]). The system Fortnum & Mason have in place does not process direct crediting automatically due to encryption measures," the customer relations advisor wrote.
Due to security concerns, however, the customer declined to email his personal credit card details.
In an attempt to reassure the customer of his data security, the customer relations advisor wrote:
"I understand you do not want to give out your details however, we do not keep them on file due to security reasons, the only way I can refund you is if I do have them.
"We will instantly destroy your details as soon as you are refunded."
Commenting on the situation, security expert Alec Muffett has branded Fortnum & Mason's understanding of IT security as "weak".
"To talk about destroying the details on the other end would demonstrate an understanding of security that I would term weak, because the data would reside in my outbox and quite possibly in my archived mail, with some likelihood of being transmitted from sender to recipient in cleartext (without encryption) at some point.
"[It would then be] stored on the remote mail server, possibly backed up over a weekend and then deleted or destroyed, whatever that means."
Muffett also said that while the name and number on the front of a credit card are easy to get hold of, he would not recommend sharing them "willy-nilly".
He added: "The CVV/verification code on the back of the card is meant to be a huge secret, so if they're requesting that, then email is a really bad idea for transmission."
Meanwhile, Visa Europe, the payment system, warned that customers should be aware of any emails requesting personal credit card details.
"As there are known data phishing and data compromise scenarios which operate in the online environment, it would be difficult for a cardholder to always know, without proper authentication being carried out, whether an email of this nature is legitimate."
The Payment Card Industry's Data Security Standard (PCI DSS) was introduced in recent years, and UK companies were required to reach full compliance with it by 30 September 2010.
Compliance with this standard indicates that an organisation has taken measures to protect customer card details.
Fortnum & Mason have refused to say if they are PCI-compliant or not.
According to the PCI standards, encryption must be used to protect personal cardholder data, and that data should not be stored unless there is a "legitimate business need".
It also states that the primary account number (PAN) – the long number on the front of the card – should not be sent in unencrypted emails, instant messages or chats.
"If Fortnum and Mason are inviting their customers to send the PAN in a plaintext email, they are requesting customer behaviour that they are meant – and possibly obliged – to avoid themselves," said Muffett.
Fortnum & Mason has blamed its December IT failure on the technical complications related to an IT systems upgrade and a three-fold increase in online transactions compared with the previous year.