Friday 18 December 2009

Protx / Sage Pay possible fraud

I am writing to let my blog readers know that I have reason to believe that Protx / Sage Pay, one of the credit card processing companies for on-line businesses, is selling debit and credit card details to criminals.

My reason is that I ordered items with the Bead Shop (Nottingham) Ltd on 22 June 2009. I don't use them very often as they're a little on the expensive side but my usual supplier did not have the colour of swarovski crystals I wanted. The Bead Shop (Nottingham) Ltd use Sage Pay / Protx as a credit card processing company for their website. When I placed the order, I hadn't actually come across Sage Pay /Protx before but after doing some research on the internet, it seemed a legitimate company and I have been into the Bead Shop (Nottingham)'s retail outlet in Nottingham on several occasions. Believing them to be a reputable company, I went ahead with entering my details into the Sage Pay / Protx system. Just a few days after that order, my bank informed me of fraudulent transactions on my debit card. I had to cancel my debit card and they issued me with a new one. The bank were unable to tell me where my card details had been stolen, and I was unable to link it to the Bead Shop (Nottingham) as I had placed several other on-line orders in the time leading up to the fraud. It was really inconvenient as I use that debit card for many regular routine payments on-line and so I had to go through all of them changing my details (Love Film for my monthly DVD usage, my web hosting provider, Amazon, etc). A right beeping pain!

Anyway, the next time I dealt with the Bead Shop (Nottingham) Ltd and Sage Pay / Protx was to place an order with them on 14 December and guess what? Just four days later, I have today had a conversation with my bank when they informed me that fraudulent transactions have again occurred on my card and I have had to go to the inconvenience of cancelling my debit card again. Someone has bought a mobile phone at the Car Phone Warehouse and tried to top up another mobile phone using my card. (I won't have to pay for those I have been assured!)

So, I have spent time this evening going through my bank account with a fine tooth comb and the ONLY organization I placed orders with a few days before the bank contacted me on both occasions is The Bead Shop (Nottingham) Limited.

Coincidence??! I think not. I do not use my debit card in shops or ATMs ever. I pay utility bills using direct debit or I pay my landlady direct using cash or a cheque. My business is largely cash based and therefore I tend to also pay for things in shops using cash. Most of my shopping is done on-line anyway because I don't like shopping that much and as I don't have a car, the only time I tend to do any shopping at all is in Cambridge on a Saturday when I am usually cash-rich (ish!) I cannot recall the last time I used my debit card in a shop and I haven't used one in an ATM for at least three years.

I have e-mailed the Bead Shop (Nottingham) to tell them I will NOT be placing any further orders with them in the future unless they offer PayPal as an alternative means of payment. Plus I will never ever use any website that uses Sage Pay / Protx as a credit card processing company either. I have to say, the Bead Shop (Nottingham) is the only one I deal with that does use them anyway.

I am awaiting comment from the Bead Shop (Nottingham) before reporting them to any authorities that take an interest in this kind of fraud though it probably happens so regularly, I am doubtful anything will be done.

25 comments:

  1. You should definitely notify the police of this situation. They take credit card fraud seriously as it is big business. So do the banks, as they have to foot the bill for the criminal activity and are keen to pursue the criminals. Well done for alerting people to the potential risk and I hope the Bead Shop do something about it too. You can't be the only one to have experienced this.

    ReplyDelete
  2. Hi Sue,
    Your blog has come to our attention and it's obvious you've been experiencing some problems. If you would like to send over your contact details and an account of the issues, I'd be happy to look into this on your behalf.
    Many thanks,
    Amy

    ReplyDelete
  3. Amy thanks but I am now on holiday. I don't want to waste any more time on this, Protx/Sagepay or whatever you are called already have a full account. I have spent a lot of time e-mailing and making phone calls already. It's clear from the reply e-mails deflecting responsibility that I have received that no-one at Protx or Sage Pay think that it is possible for anyone to get at my details and pass them on and therefore it is my fault.

    Jean, thanks very much for your interest but all I have received from Protx/Sagepay and the Bead Shop (Nottingham) are e-mails of denial along with inferences that it is my fault. Last time this happened I upgraded everything on my computer to do with security and I am cautious to the point of paranoia about giving my credit card details out. To report it to the police, I would have to supply paperwork and take time to copy documentation at this end in order to make my case. I don't have time this close to Christmas and so the oportunity will be lost, I'm just going to do what my bank suggested who also weren't that interested in this astonishing coincidence; they say I should put it down to bad luck and not use the supplier or this credit card processing company again.

    If I spend any more time on this and nothing happens I'm just going to be even more annoyed about it.

    ReplyDelete
  4. In fact, Amy, come to think of it, the above is pretty much a full account except for the dates of my orders/payments to the Bead Shop (Nottingham) Ltd:
    22 June 2009 - £77.70
    14 December 2009 - £93.24

    ReplyDelete
  5. Hi Sue,
    Thanks for getting back to me. I do understand that an issue like this is really frustrating for you especially if you feel as though you are being passed back and forwards between different parties. As I said we've been investigating this issue ourselves and would really like the chance to have a discussion with you, the retailer and your bank to get to the root of the problem.
    Kind regards,
    Amy

    ReplyDelete
  6. Hi Amy, thanks so much for prolonging this even further, this is just what I want to be doing on bank holiday Monday - Happy New Year! Please see the web page below for all the responses I have received so far from the Bead Shop (Nottingham) and SagePay
    http://www.soozjewels.co.uk/sagepayfraud.html.

    From these responses, I have have "no need for concern" and this is "no more than an unfortunate coincidence than a suspicious incidence". I cannot therefore but feel that you are only continuing with this because I have posted about it on a public blog where anyone can read it.

    If you truly believe that I will genuinely not be wasting my time, please e-mail me your telephone number using the contact page on my website and I will ring you when I'm back from holiday on Monday.

    ReplyDelete
  7. Thankyou for warning me. I was about to place an order on some contact lenses I found online when I saw Sage Pay came up as an option. I'd never heard of it and usually when I shop online I always use PayPal as I can guaranty it's completely safe.
    Also, I noticed usually when I have to fill in my bank information it comes up with a padlock picture by the browser bar. This time I couldn't see it. My computer also warned me about 3rd party cookies or something and how they were able to see the information on the page. I think the police should be warned about this and I'm writing an e-mail to the contact lens company to persuade them to use PayPal instead. Sorry just thaught I'd share my opinion.

    ReplyDelete
  8. Hi all, i've just come across this blog and feel the need to comment.
    I represent a company that uses Sagepay as their payment gateway. I do not work for, support or partner with them in any way and in fact i have several grievances with them on other issues, such as merchant fraud protection and their use of the Third Man merchant fraud prevention services (totally useless in protecting merchants)
    I'm shocked to read the comments and ignorance described in this blog towards Sagepay and the way credit card fraud operates, it is clear that the bloggers have absolutely no understanding about this topic.
    Firstly, Sagepay, like any other card processing company has to be "industry compliant" in exactly the same way as PayPal, Worldpay etc to be able to offer the service that they do to their clients.
    Secondly, there are a multitude of ways that fraudsters can obtain credit card details in the shopping process and to blame this on the payment gateway is ridiculous without much further evidence, for example, you mention that you rarely shop online but when you do it's mostly for the Beadshop, that immediately flags up my suspicions because although Sagepay processes the transaction, if the merchant is using their direct integration they could possibly be storing credit card details, not for malicious reasons but many merchants do this for their own protection because if a transaction is found to be fraudulent then the bank issues what's called a "chargeback" against the company and the only way the company can protect itself is to have the card details accessible to provide the bank if this occurs. It's very possible, unless the merchant is PCI compliant, that their server could be getting hacked in to and your details stolen.
    The other possibility is that (although unlikely considering the coincidence) that your own computer could be getting hacked, even if you have anti-virus software installed. Although unlikely, still a very possible reason.
    What you must understand is that there are many different avenues to which a fraudster may use to steal your details and to blame this on Sagepay is totally irresponsible. Your protection is the same with Sagepay as it is with Paypal, Worldpay and others, if you make a search for Paypal scams or fraud you are likely to see many results for this.
    Lastly, the outright rudeness in which you have treated the Sagepay representative who is only trying to help you is inconsiderate and it appears that you do not want to listen whatsoever.
    However, it might turn out to be Sagepays fault and maybe they do have a bug in their system but i strongly advise to not be naive or ignorant and consider all the other possibilities first.
    Thanks and i hope that this has been informative for all readers.
    Danny G

    ReplyDelete
  9. By the way Jean, the banks do not pay, the merchants pay when it comes to online fraud. Where do you think the banks get the money to reimburse customers when their card is misused? their profits? No, it comes directly out of the shop or company that took the payment. With regards to the police, we have consistantly tried to get help from the police and they are not interested.
    Danny G

    ReplyDelete
  10. Hi Danny, many thanks for your input and for taking the time and trouble to put forward your point of view. I would point out that I never said I rarely shop on-line. My point was that I rarely use my my credit/debit cards for ordinary shopping transactions and so the details weren't stolen using a conventional method like cloning or just writing the details down. It must've been an on-line fraud.

    I haven't had any problems with my credit card details being stolen since I stopped putting my credit card details into web sites that use SagePay as a credit card processor and whilst that too might just be a coincidence, I will not use any on-line shop that uses SagePay in the future so I'm afraid you haven't changed my mind.

    ReplyDelete
  11. Hi Sue, fair enough, however i would think it far more likely that the BeadShop database had been hacked rather than Sagepay, as Sagepay has to meet very tight industry regulations, very much like a bank, to have the licence to process payments, it's not something that any company can just go ahead and do. We've been using Sagepay for years (previously Protx) and never had one complaint from all the thousands of customers that shop on our site and we don't store customer credit card data.
    I think your comments are unnecessarily damaging for many merchants out there who may lose customers because of your comments that in fact are unproven and wildly speculative.
    People should be informed educationally and not on hunches without any insight and knowledge about the card processing procedures.
    Best regards
    Danny G

    ReplyDelete
  12. I am in fact a qualified Software Engineer, previous to making jewellery, I spent a lot of time in industry. 5 years as PA to a Financial Director and then after going back to college, 2 years as a Web Designer for a further education college and 2 years as Technical Systems Support for a Tourism company, I am not a nitwit when it comes to technical knowledge.

    Something is wrong with the Sage Pay system, whether the industry is wise to it or not and whether they're willing to own up to it or not. If it was all so great, then on-line fraud would not happen at all. Of course, the banks have very tough guidelines to adhere to, they're so very good at making the right choices, aren't they?! I wonder why they needed bailing out by the tax payer at all, really.

    ReplyDelete
  13. I ordered from a wesite that used sagepay about 3 weeks ago and I don't have any credit card fraud yet. Since you only used your credit card at one website and you haven't tried another website that uses sage pay, then you don't know wheather it was the website where you purchased your items or if it was sagepay where the information was taken. So it has nothing to do with your technical knowledge of computers. So unless you try sagepay at another website, then you can't say it has anything to do with sage pay.

    However I am not able to reach anyone through email or telephone at the website that used sagepay. That is strange, and I have not received my product yet. I am a little worried but it will probably show up in a few days. I ordered from the U.K. and I am in canada so it takes a couple of weeks depending on shipping options. So since nobody will return my call or email at the website that used sagepay for their transactions, and if I never get my package, then maybe at worst I might be able to say that sagepay might have a lot a fraudulent websites using their services, considering your post.

    ReplyDelete
  14. Rod B. ...Melbourne, Australia15 March 2011 at 11:24

    Dear Sue (and others who may be interested?)...

    Thank you for your Blog re SagePay (ex protx)...

    I recently had my Visa Credit Card details STOLEN.

    My Bank alerted me to an 'suspect' transaction about THREE weeks after I used my Credit Card on-line thru a Scottish website which uses SAGEPAY !

    I had not used my Credit Card on-line for more than about FIVE months prior to that transaction in late January 2011... and I have not used it since on-line. I rarely use my Credit Card online, but have used it regularly (locally) to pay for my utilities (electricity, gas, phone) over the telephone, with no issue.
    It seems to me a 'VERY strange coincidence' that a fraudulent transaction was made on my CC several weeks after paying for something on-line thru SAGEPAY ! ...esp after Googling today and finding similar comments on your Blogspot!
    I'm pretty tech-savvy and have VERY secure security software... the people I spoke to at my 'financial institution' informed me that they believed hackers or 'insiders' are now 'accessing' privileged CC information on presumably 'secure payment sites'(?)... this seems to be the case, I believe, in my situation?

    I'm interested in your comments...

    ...someone needs to track down these C.C. Criminals who have nothing better to do than find ways of stealing other people's money!

    Kind Regards
    Rod B
    Melbourne, Australia
    Email: MelbourneLiving (at) gmail.com

    ReplyDelete
  15. I have had the same experience with Sage pay. Four days after using it the bnak informed me that someone had copied my card details and my card was cancelled.

    James

    ReplyDelete
  16. This entry in my blog is the most accessed according to my blog statistics. It seems lots of people are interested in reading about problems with Sage Pay. I welcome all comments here, thank you to those who have left me feedback, especially Rod and James who appear to have had the same problem as myself after using a site with SagePay as a payment processor.

    I have continued to purchase widely and regularly using other on-line payment processors, I favour PayPal personally (no I don't work for them!) and always prefer sites that use it. Since I refused to use sites that use SagePay, my card details have not been compromised. Some might say it's a coincidence which they're entitled to do but I prefer to think that I'm being prudent by not trusting SagePay any more.

    ReplyDelete
  17. Sage Pay are absolutely fraudulent. Sage Pay knowingly process payments from unsuspecting customers of defunct web companies.

    ReplyDelete
  18. Gosh, that sounds bad - hope you get your money back, NM.

    ReplyDelete
  19. Yep, they got me as well. I paid through them for an item and it turns out that the online shop was just pretending to be a shop that really exists. Yes, a police matter. I've changed all my passwords, cancelled my bank cards and accounts. Thank God an error and warning message came up on my computer just after I paid.

    ReplyDelete
  20. I too have just had a bad experience with SagePay.

    I purchased two Parker pens from an online charity shop. At the check out page I filled in my billing address and the delivery address.

    1. But the delivery address fields were not enough for the Isle of Skye - which requires more than just the town and county but also the island.

    2. Then when I went to the SagePay payent screen it wanted my billing address all over again. Having just typed this in I was not happy to have to do so all over again. With websites it is possible to carry such details from one page to the next, why didn't it do so?

    3. Then the Card Details screen had the following:

    https://live.sagepay.com/gateway/service/cardconfirmation

    Card Details
    Card Type Visa Debit / Delta
    Card Number XXXX XXXX XXXX [deleted here]
    Cardholder Name [deleted]
    eMail
    Billing Address [deleted]
    Town
    [deleted here]
    Billing Post Code [deleted here]
    Delivery Address
    Delivery Post Code

    4. You will notice that the email address, delivery address, delivery post code are all missing. These have not been carried through.

    5. And what on earth is the
    tags doing in the billing address field? In fact the tags should be
    Town
    - notice the difference? THIS IS VERY SLOPPY PROGRAMMING FOR A PAYMENT SYSTEM.

    6. Then I confirmed payment and got the following screen:

    https://live.sagepay.com/gateway/service/authorisation

    Sagepay

    Please wait while your transaction is authorised with the bank.

    AFTER 5 MINUTES THIS DIDN'T CHANGE.

    7. Then I got the following:

    http://www.jst.org.uk/thank-you-for-your-order.aspx

    The connection has timed out

    The server at [deleted here] is taking too long to respond.

    The site could be temporarily unavailable or too busy. Try again in a few moments.
    If you are unable to load any pages, check your computer's network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

    ===

    THIS IS NOT GOOD BECAUSE NOW I DON'T KNOW IF MY ORDER WENT THROUGH. I DON'T KNOW WHERE MY CREDIT CARD DETAILS HAVE GONE. AND I NOW HAVE TO CHECK WITH MY BANK WHAT HAS HAPPENED. I THINK SAGEPAY IS A TOTALLY AMATEURISH PAYMENT SYSTEM - WITH UNACCEPTABLE HTML ERROS.

    MY COMPLAINT TO SAGEPAY CUSTOMER SERVICE REMAINS UNANSWERED.

    C.J.BRADY

    ReplyDelete
  21. I too have just had a bad experience with SagePay.

    I purchased two Parker pens from an online charity shop. At the check out page I filled in my billing address and the delivery address.

    1. But the delivery address fields were not enough for the Isle of Skye - which requires more than just the town and county but also the island.

    2. Then when I went to the SagePay payent screen it wanted my billing address all over again. Having just typed this in I was not happy to have to do so all over again. With websites it is possible to carry such details from one page to the next, why didn't it do so?

    3. Then the Card Details screen had the following:

    https://live.sagepay.com/gateway/service/cardconfirmation

    Card Details
    Card Type Visa Debit / Delta
    Card Number XXXX XXXX XXXX [deleted here]
    Cardholder Name [deleted]
    eMail
    Billing Address [deleted]
    Town
    [deleted here]
    Billing Post Code [deleted here]
    Delivery Address
    Delivery Post Code

    4. You will notice that the email address, delivery address, delivery post code are all missing. These have not been carried through.

    5. And what on earth is the
    tags doing in the billing address field? In fact the tags should be
    Town
    - notice the difference? THIS IS VERY SLOPPY PROGRAMMING FOR A PAYMENT SYSTEM.

    6. Then I confirmed payment and got the following screen:

    https://live.sagepay.com/gateway/service/authorisation

    Sagepay

    Please wait while your transaction is authorised with the bank.

    AFTER 5 MINUTES THIS DIDN'T CHANGE.

    7. Then I got the following:

    http://www.jst.org.uk/thank-you-for-your-order.aspx

    The connection has timed out

    The server at [deleted here] is taking too long to respond.

    The site could be temporarily unavailable or too busy. Try again in a few moments.
    If you are unable to load any pages, check your computer's network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

    ===

    THIS IS NOT GOOD BECAUSE NOW I DON'T KNOW IF MY ORDER WENT THROUGH. I DON'T KNOW WHERE MY CREDIT CARD DETAILS HAVE GONE. AND I NOW HAVE TO CHECK WITH MY BANK WHAT HAS HAPPENED. I THINK SAGEPAY IS A TOTALLY AMATEURISH PAYMENT SYSTEM - WITH UNACCEPTABLE HTML ERROS.

    MY COMPLAINT TO SAGEPAY CUSTOMER SERVICE REMAINS UNANSWERED.

    C.J.BRADY

    ReplyDelete
  22. I too have just had a bad experience with SagePay.

    I purchased two Parker pens from an online charity shop. At the check out page I filled in my billing address and the delivery address.

    1. But the delivery address fields were not enough for the Isle of Skye - which requires more than just the town and county but also the island.

    2. Then when I went to the SagePay payent screen it wanted my billing address all over again. Having just typed this in I was not happy to have to do so all over again. With websites it is possible to carry such details from one page to the next, why didn't it do so?

    3. Then the Card Details screen had the following:

    https://live.sagepay.com/gateway/service/cardconfirmation

    Card Details
    Card Type Visa Debit / Delta
    Card Number XXXX XXXX XXXX [deleted here]
    Cardholder Name [deleted]
    eMail
    Billing Address [deleted]
    Town
    [deleted here]
    Billing Post Code [deleted here]
    Delivery Address
    Delivery Post Code

    4. You will notice that the email address, delivery address, delivery post code are all missing. These have not been carried through.

    5. And what on earth is the
    tags doing in the billing address field? In fact the tags should be
    Town
    - notice the difference? THIS IS VERY SLOPPY PROGRAMMING FOR A PAYMENT SYSTEM.

    6. Then I confirmed payment and got the following screen:

    https://live.sagepay.com/gateway/service/authorisation

    Sagepay

    Please wait while your transaction is authorised with the bank.

    AFTER 5 MINUTES THIS DIDN'T CHANGE.

    7. Then I got the following:

    http://www.jst.org.uk/thank-you-for-your-order.aspx

    The connection has timed out

    The server at [deleted here] is taking too long to respond.

    The site could be temporarily unavailable or too busy. Try again in a few moments.
    If you are unable to load any pages, check your computer's network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

    ===

    THIS IS NOT GOOD BECAUSE NOW I DON'T KNOW IF MY ORDER WENT THROUGH. I DON'T KNOW WHERE MY CREDIT CARD DETAILS HAVE GONE. AND I NOW HAVE TO CHECK WITH MY BANK WHAT HAS HAPPENED. I THINK SAGEPAY IS A TOTALLY AMATEURISH PAYMENT SYSTEM - WITH UNACCEPTABLE HTML ERROS.

    MY COMPLAINT TO SAGEPAY CUSTOMER SERVICE REMAINS UNANSWERED.

    C.J.BRADY

    ReplyDelete
  23. I got this response...

    To: chrisjbrady@yahoo.com
    Date: Friday, 13 July, 2012, 8:24

    Good Morning,

    Thank you for your e-mail with regards to your order.

    SagePay are a 3rd party payment gateway. We offer a secure environment to process card payments. We do not have any involvement in the purchase/order/delivery process.

    If you would like to question any aspects of your order I can advise speaking to the Vendor you have ordered from directly using the contact details provided on their website.

    I hope this is of some use.

    If you would like to discuss this further please do not hesitate to contact me directly on 0845 111 4455

    Kind Regards,

    Stuart King
    Customer Service Advisor

    ReplyDelete
  24. Mr. King -

    Please stop wasting my time with such irrelevant buck-passing responses. It is Sage Pay's back-end payment system(s) that failed not JSTs implementation of them. I have already blogged this issue.

    Due to Sage Pay's obvious disinterest and refusal to own the problem I shall be taking this matter up with the financial authorities that have licensed Sage Pay.

    You are aware, I am sure, that Sage Pay's system must meet a number of strictly defined and secure requirements.

    Further I will raise these matters with various legal groups. Sort your backend systems out as you are legally obliged to do.

    CJB.

    ReplyDelete
  25. People, don't go all frustrated on SagePay. They are only a payment gateway. You should take it with the website that redirected you to SagePay. They send all the details to SagePay (including billing details), they must display a proper response for you, they will redirect you to a new page when the process is finished...

    ReplyDelete

Thanks so much for visiting, I love it when people leave me messages!