Is my payment secure?

Sage Pay collect card details via a 128-bit SSL secured payment page. We request card number, expiry dates, cardholder name and address and security code value. This information is then further encrypted to be held against the transaction details on our system before being sent to the UK acquiring banks for authorisation (over secure, offline channels). We don't store the security code (in line with Visa requirements) but we do store the card number (only in an encrypted format that none of our staff have access to).

Sage Pay secure your card details within our database using AES-256, the keys for which are held on tamper-proof hardware security modules which as stated are unavailable to Sage Pay staff.

When your details are supplied to us over SSLv3, the algorithm used is RC4, as it is for almost every major e-commerce site.

SSL generates the encryption keys it uses for RC4 by hashing (using both MD5 and SHA1), so that different sessions have unrelated keys. Also, SSL does not re-key RC4 for each packet, but uses the RC4 algorithm state from the end of one packet to begin encryption with the next packet.

The SSLv3 certificates we obtain from Verisign to secure our site can support AES-256 as the encryption algorithm, but the vast majority of customers use IE6 or below and older versions of Firefox and Netscape. Most also run on Microsoft Windows, which until Vista is released, cannot use AES in SSL encryption. At present, the vast majority of sessions will be encrypted at 128-bit, but with a strong algorithm like correctly implemented RC4, 128-bits is more than enough to ensure the security of your card details.

We can also assure you that your details would not have been gleaned from our system (which has been approved, and is regularly audited by Visa and Mastercard as one of the most secure sites in the UK). 

Our systems are independently audited by the UK acquiring banks and we are compliant with the card schemes themselves (both Visa and Mastercard) under their Payment Card Industry Data Security Standard which ensures we meet very strict security guidelines (see this link http://www.visaeurope.com/aboutvisa/security/ais/main.jsp for more information).

I hope this explanation helps allay your security fears.  Please do not hesitate to contact us if you have any further concerns.