As an online business, security is vitally important. We try to be open and transparent about the way we manage our website, servers and customer data, read below to find out more about how we manage that.
This page is designed to give you an overview of our security procedures and show you how shopping on our site is safe. We've tried to make this page as easy to read as possible by explaining things in normal language, without too much 'internet jargon' (we hope!).
For those that don't want to read too much, we've written an overview of our security procedures below, and included a few tips on how you can test our security so you can see for yourself how secure we are.
If you don't understand anything, think something could be clearer or would like more information - please let us know via the contact us page.
We take security very seriously. We understand that if we make a mistake with sensitive data then hundreds or thousands of people will be affected. It's not an area we want to make mistakes with!
In general, we err on the side of caution with a lot of our systems and procedures. We probably go further than we need to to ensure that your (and our) data is not compromised - however, we don't think this is a bad thing.
- We do not store customer credit card details
- All sensitive information is transferred securely using the highest level of SSL certificate commercially available
- All account passwords are stored in an encrypted format and we don't have access to them
- Our website and offline files are all securely backed up regularly
A lot of the systems or procedures we use are spread across different platforms or companies. We do this because it limits the risk if one of our systems fails. It's a bit like not putting all your eggs in one basket.
We spend a lot of time investigating the available options to ensure that each system we choose to use is as secure as possible. Often we use the market leader in each sector, so our SSL certificate is provided by Comodo, our email is hosted by Google, our backup is by an equally well-known brand etc. By choosing which people we work with in each area, we're able to not compromise in any single area.
Can't Give it all Away
While we would love to tell everyone what systems we use and how we do it, doing so would make us more vulnerable. Because of this, we've not given any specific details of the systems or services we use, unless they are readily available on our side (for example it's public knowledge that our SSL certificate is provided by Comodo).
Perhaps the most important aspect of an online purchase to secure is the payment data. When you checkout on our site you will be given a number of payment options. If you choose to pay by credit or debit card directly on our site, all the information is securely encrypted in your browser using the highest level of commercially available SSL technology (read more about that below). That means that when you click the 'purchase' button, the information is jumbled up and sent to us - anyone who intercepts the data being sent to us only sees the jumbled up version, not the actual data. When it gets to our end, we have the SSL key so we're able to unjumble it.
Credit Card Payments
When you pay via a credit card, we don't store the card details on our server. When you enter your card number, it is securely encrypted and sent to the payment processor who charges your card the correct amount. The payment processor then returns us some non-sensitive information such as the last 4 digits of your card number, a transaction ID and an authorisation code. By not storing any card information, we make our system less appealing to attack.
If you choose to pay by PayPal, you'll be redirected to the PayPal website to make payment. PayPal is a world leader in online payments, and therefore always use the latest technology and systems to ensure their website and payment systems are protected. They also offer buyers some protection against online purchases, so you may want to choose this payment method for those reasons (credit card companies offer similar services, but people may prefer the way PayPal deal with it).
SSL is a way to securely transfer information over the internet. When you access a website, information (in the form of the webpage) is transferred between the server it comes from and your computer. If that information contains sensitive data, you want the information to be sent securely. Websites use SSL to transfer this information safely and securely. It stops anyone 'snooping' on what you're doing so that if anyone intercepts the transfer between the server and your computer, they see an encrypted version of the data.
You can tell if a webpage is being sent by a secure connection by looking at the start of the address (the URL). There will be an extra 's' in the URL if it's being transferred via a secure connection: If it's http:// then it's not secure, if it's https:// then it is secure.
However, not every type of SSL certificate is the same, and there are a number of types available. We use what's called an 'Extended Validation' SSL certificate which provides the highest level of assurance currently available. This not only secures the connection via the highest level of encryption currently available (2048-bit) but it also guarantees who that information is being sent to.
Sending information securely is only half the battle. We believe it's important to know who you're sending your confidential details to, so by showing you who we are, you know where that information is going. When you access any secure page on our site a section of the address bar will turn green and show you our company name (Macdonald Sporrans Ltd) so that you know what website you're on and who you're sending the information to.
Our server is a dedicated computer that houses our website and database. As it stores all our customer information and our site files, it's important that we keep it as secure as possible. Our server is physically located in the UK in a secure environment. Physical access to the server buildings is severely restricted and our host utilises the latest technology to ensure that it is also protected from unauthorised online-based access.
Online access to our server is strictly limited to select members of our team and our lead developer. By limiting external access to our server, we reduce the likelihood that people can compromise the integrity of our site. We operate a fully functional private test site so that we can trial new procedures before putting them onto the live site.
We also take additional security measures including things like virus/malware scanning to avoid malicious code, and firewalls to restrict unwanted access.
In the event that our server fails, we take regular backups of our database and site files to geographically redundant server.
Our site files are also controlled via a repository so we control and monitor file changes through that.
We use a hosted email solution provided by Google. Google are widely regarded as one of the world leaders in online technology and security. They are also extremely reliable which means our email system is very robust and securely backed up.
This also means that in the event that one area of our system is compromised, the other areas are still secure (ie if our server is hacked, our emails are still safe).
All account based pages are accessed via a secure connection. However, to make sure that your account is not accessed by anyone else we recommend that you choose a secure password. Secure passwords should be unique (ie not used for your online bank as well!) and preferably should be alphanumeric codes of 10+ characters so that they cannot be guessed (eg it's better to use 'dn83I9mXx58Hg' rather than 'password').
We store all account passwords in an encrypted format (using a salted MD5 cryptographic hash function). Hashing a password takes the original password and converts it into a random string of digits. This means that if someone gains access to our server - they cannot see customer passwords as they are all saved as random strings of digits (we can't see them either!).
This section deals with the data we store on our computers in our office, rather than the data we store on our server. See the 'Server Security' section above for our server data security.
We use backup software which automatically backups up all files on all our computers, as soon as they are saved, to a secure online vault.
We use Passpack to manage and share online account passwords so passwords to our website admin section, our server, our email accounts etc are not saved on computers. You can read more about Passpack's security here. We chose this company because they have a no-compromise attitude to security.
Generally we use 15+ digit alphanumeric passwords for all potentially-confidential online services, including our website, email and server. This virtually eliminates the risk of someone guessing them, and hugely reduces the risk of a 'brute-force' password attack (where someone uses a computer to try different combinations of passwords until it finds one that works).
We can write lots and lots about how secure we are - but the real proof is in the pudding! Here are some ways you can test this site to check how secure it is:
- Visit the secure version of this page and check the URL bar turns green and displays our company name: Macdonald Sporrans Ltd. Different web browsers work slightly differently, but a portion of the address bar should turn green. Clicking on our company name should bring up a box which has details of our SSL certificate including our location. This assures you that you are connected to our server securely.
- Check our site for malware using online tools. Click any of the links to view an instant security report via the following services: Norton Safe Web, Google Safe Browsing Diagnostic page, McAfee's SiteAdvisor and AVG ThreatLabs. You can of course also use any other tool you can find to check us, but the above ones are from big, reputable companies. FYI Some reports may show our 'location' as in the United States because our server is the in the US - we are based in Edinburgh, Scotland.
- Not a fan of all this digital stuff? - pick up the phone and call us! Our number is shown at the top of every page and if you call between 09:00 and 17:30 (UK time) then a real person will pick up the phone and will happily answer any questions you have.