Security Policy

From VbzWiki
Jump to navigation Jump to search

Protecting Customer Information

I. Protecting customer information from unauthorized use

  • Permanent storage for customer information is not located on Internet-accessible computers.
  • Customer information is removed from Internet-accessible machines as soon as it is no longer needed online.
  • Customer information is not accessible via unsecured http.
  • A limited subset of customer information is sent to us via unsecure email when a customer places an order; this includes the customer's shipping address and email and/or phone, but does not include their complete credit card number. Only the last four digits and expiration date are sent.
  • When we retrieve complete customer information from the web server, the communication takes place via https and requires a username and password. The username and password are both long, and the password is non-mnemonic.

Verifying Authenticity

II. Verifying authenticity of credit card payments

  • We always verify the billing address when we process credit cards. If the billing address is not the same as the shipping address, we will often take additional steps to be sure the owner of the card has authorized the charge; these are handled on a case-by-case basis.
  • In situations where the card's billing address does not match the shipping address or the billing address given to us does not match the card's billing address on file with the bank, we will take additional measures to verify the card. These measures may include any of the following:
    • sending a letter to the card's billing address to verify the purchase
    • calling the issuing bank to verify the address
    • requiring a copy of a recent bill or bank statement showing the credit card number and the billing address
    • making two "test debits" of small, randomly-generated amounts and requiring the cardholder to tell us the amounts debited (similar to PayPal's account verification procedure)
    • sending only a small part of the shipment, and waiting at least a month before sending the rest (so as to give the real cardholder time to notice the unexpected charge and contest it, or realize that the card has been stolen and cancel it)
    • anything else our feisty little brains can think of! We really hate scams, and do our best to stomp them out.