Cotton Traders, the clothing retailer, is refusing to give details of the security arrangements in place when its website was hacked and customer card details stolen.
The firm denied reports that 38,000 customer card details and addresses were stolen, earlier this year, but would not say the real figure of how many customers were affected.
A company representative said the figure was “significantly less” than the 38,000 quoted by the BBC.
Barclaycard processes all payments made on the Cotton Traders website, but said it would not comment on individual cases.
A source close to the problem said Barclaycard was not at fault, and did not host the Cotton Traders website or store its customer data.
Cotton Traders would not state which hosts it uses or what systems are in place.
It also refused to comment on whether it had encrypted the data that was lost, but confirmed that customer credit card data is currently encrypted. It said it had recently upgraded security on its website, “validated by leading industry experts”, but would not say what changes have been made.
Actions to remedy the problem were completed five months ago, and all customers potentially affected were notified at the time, the company said. It said it took security “very seriously”, and that its website is “safe”.
“In January 2008 we identified a security issue. We immediately brought in industry security experts to resolve the problem,” Cotton Traders explained.
Police are investigating, payments clearing body APACS confirmed.
Earlier this month, data thieves broke into computers at US supermarket chains Hannaford Brothers and Sweetbay, stealing an estimated 4.2 million credit and debit card numbers.
Meanwhile, address verification systems are also coming under the spotlight as security breaches rise, according to fraud screening services firm the 3rd Man.
These systems are used by retailers and credit card companies to verify the identity of buyers, and are being exploited by fraudsters to order goods from retailers to be delivered to their own choice of address, the3rd Man said.
AVS systems match the billing address entered by the buyer online with the address held by their credit card company in order to authorise the transaction. They use a simple code created by taking the house number and the numbers in the postcode for each card issued.
If fraudsters use card details and addresses they have stolen, they know this AVS code straight away. This means they can find a card that has an AVS number that matches another address they want delivery to, and have the products delivered there while billing the original cardholder, the 3rd Man said.
It added that fraudsters “can virtually guarantee ... the retailer actually has no realistic way of verifying the correct address details”.
Card not present fraud on UK cards hit a value of £290.5 million in 2007, APACS reported, an increase of 37 percent on the previous year.