Fortnum & Mason has finally said that it is compliant with the Payment Card Industry Data Security Standard (PCI DSS), after coming under fire for asking a customer to email their full credit card details in order to get a refund.
In a statement, the luxury London department store said: "Fortnum & Mason take the handling of customer personal information and data extremely seriously and treat our customer's personal information as highly confidential at all times.
"We comply fully with the Payment Card Industry (PCI) Data Security Standard for both payment card and consumer financial data protection and have procedures in place to ensure these standards are met."
An IT failure at the luxury London department store in December prevented it from delivering all of its hamper orders in time for Christmas.
One regular customer, who has still not received his delivery, contacted the company to request a refund and was told that he would need to email his personal credit card details for the refund to take place.
Fortnum & Mason said that it asks all customers requiring a refund to give their payment details over the telephone.
However, in email correspondence seen by ComputerworldUK, a customer relations advisor at Fortnum & Mason insisted that the store would not be able to do a refund unless the customer sent their credit card details over in an email.
"I will require your card details to arrange a refund (type of card, name of the card, long number, expiry date, security number [CVV code]). The system Fortnum & Mason have in place does not process direct crediting automatically due to encryption measures," the customer relations advisor wrote.
Due to security concerns, however, the customer declined to email his personal credit card details.
In an attempt to reassure the customer of his data security, the customer relations advisor wrote:
"I understand you do not want to give out your details however, we do not keep them on file due to security reasons, the only way I can refund you is if I do have them.
"We will instantly destroy your details as soon as you are refunded."
The Payment Card Industry's Data Security Standard (PCI DSS) was introduced in recent years, and UK companies were required to reach full compliance with it by 30 September 2010.
Compliance with this standard indicates that an organisation has taken measures to protect customer card details.
According to the PCI standards, encryption must be used to protect personal cardholder data, and that data should not be stored unless there is a "legitimate business need".
It also states that the primary account number (PAN) – the long number on the front of the card – should not be sent in unencrypted emails, instant messages or chats.
"If Fortnum and Mason are inviting their customers to send the PAN in a plaintext email, they are requesting customer behaviour that they are meant – and possibly obliged – to avoid themselves," said security expert Alec Muffett.
Fortnum & Mason has blamed its December IT failure on the technical complications related to an IT systems upgrade and a three-fold increase in online transactions compared with the previous year.