Fortnum & Mason has admitted that its staff made an "error" in asking a customer to email their credit card details in order to get a refund.
The luxury London department store, which has said that it is compliant with the Payment Card Industry Data Security Standard (PCI DSS), had initially denied the incident.
"We have now fully investigated the claim that a customer was asked for their credit card details via email and we can confirm that an error was inadvertently made in an effort to expedite a refund," Fortnum & Mason said in a statement today.
"We apologise for causing concern for this genuine, human error, done with best intentions to aid the customer. It is against our procedures and we have taken action to ensure that this will not occur again."
An IT failure at the luxury London department store in December prevented it from delivering all of its hamper orders in time for Christmas.
One regular customer, who has still not received his delivery, contacted the company to request a refund and was told that he would need to email his personal credit card details for the refund to take place.
Fortnum & Mason said that it usually asks all customers requiring a refund to give their payment details over the telephone.
However, in email correspondence seen by ComputerworldUK, a customer relations advisor at Fortnum & Mason insisted that the store would not be able to do a refund unless the customer sent their credit card details over in an email.
"I will require your card details to arrange a refund (type of card, name of the card, long number, expiry date, security number [CVV code]). The system Fortnum & Mason have in place does not process direct crediting automatically due to encryption measures," the customer relations advisor wrote.
Due to security concerns, however, the customer declined to email his personal credit card details.
In an attempt to reassure the customer of his data security, the customer relations advisor wrote:
"I understand you do not want to give out your details however, we do not keep them on file due to security reasons, the only way I can refund you is if I do have them.
"We will instantly destroy your details as soon as you are refunded."
The PCI standard was introduced in recent years, and UK companies were required to reach full compliance with it by 30 September 2010.
Compliance with this standard indicates that an organisation has taken measures to protect customer card details.
According to the PCI standards, encryption must be used to protect personal cardholder data, and that data should not be stored unless there is a "legitimate business need".
It also states that the primary account number (PAN) – the long number on the front of the card – should not be sent in unencrypted emails, instant messages or chats.
"If Fortnum and Mason are inviting their customers to send the PAN in a plaintext email, they are requesting customer behaviour that they are meant – and possibly obliged – to avoid themselves," said security expert Alec Muffett.
Fortnum & Mason has blamed its December IT failure on the technical complications related to an IT systems upgrade and a three-fold increase in online transactions compared with the previous year.