Is my payment secure?
Sage Pay collect card details via a 128-bit SSL secured payment
page. We request card number, expiry dates, cardholder name and address
and security code value. This information is then further encrypted to
be held against the transaction details on our system before being sent
to the UK acquiring banks for authorisation (over secure, offline
channels). We don't store the security code (in line with Visa
requirements) but we do store the card number (only in an encrypted
format that none of our staff have access to).
Sage Pay secure your card details within our database using AES-256,
the keys for which are held on tamper-proof hardware security modules
which as stated are unavailable to Sage Pay staff.
When your details are supplied to us over SSLv3, the algorithm used is
RC4, as it is for almost every major e-commerce site.
SSL generates the encryption keys it uses for RC4 by hashing (using
both MD5 and SHA1), so that different sessions have unrelated keys.
Also, SSL does not re-key RC4 for each packet, but uses the RC4
algorithm state from the end of one packet to begin encryption with the
The SSLv3 certificates we obtain from Verisign to secure our site can
support AES-256 as the encryption algorithm, but the vast majority of
customers use IE6 or below and older versions of Firefox and Netscape.
Most also run on Microsoft Windows, which until Vista is released,
cannot use AES in SSL encryption. At present, the vast majority of
sessions will be encrypted at 128-bit, but with a strong algorithm like
correctly implemented RC4, 128-bits is more than enough to ensure the
security of your card details.
can also assure you that your details would not have been gleaned from
our system (which has been approved, and is regularly audited by Visa
and Mastercard as one of the most secure sites in the UK).
Our systems are independently audited by the UK acquiring banks and we
are compliant with the card schemes themselves (both Visa and
Mastercard) under their Payment Card Industry Data Security Standard
which ensures we meet very strict security guidelines (see this link http://www.visaeurope.com/aboutvisa/security/ais/main.jsp
for more information).
I hope this explanation helps allay your security fears. Please do not
hesitate to contact us if you have any further concerns.