DustinT
Member For 4 Years
Member For 3 Years
Member For 2 Years
Member For 1 Year
Member For 5 Years
Hi, Dustin here from MFS. Wanted to touch base to clear up a few things as much as possible.
Yes, unfortunately our site was attacked and a data breach did occur earlier this year. We have directly notified all customers that were possibly affected by the attack to let them know that their information may have been vulnerable.
Since then we have made several changes to improve security and secure our customers' data. One of the main steps we took was to hire an established and well respected security firm to handle our payment processing. As a result, our site is 100% Level 1 PCI Compliant and is more secure than 99.9% of websites online. For the more technical savvy I have included a bit more info below about how payment data is handled so that it is no longer stored or even really entered on the MFS website. I'm not an expert in this field, but I'll explain it the best I can.
1) During the payment phase of checkout the credit card number and CVV number fields are served using an iFrame from the security firm that handles our payment processing
2) Customer enters their sensitive payment info directly into the iframe and submits it directly to the security company (data is encrypted and therefore not vulnerable to cross site scripting)
3) Security company replies with tokenization value rather than full payment data to confirm valid data was received
Using this method customers are actually never inputting their payment data into the MFS site. It looks like you are submitting it to the MFS site, but because of the iframe the fields with the sensitive data are actually submitted directly to the security firms’ site where it is encrypted. Video about how it works can be found here: http://www.hostedpci.com/iframe-security/
Also, for those asking about payment info saved on their account so that they don't have to reenter it when placing another order, this info is not saved on the MFS site either. It is encrypted on the security company's server and therefore cannot be accessed by anyone if they were to attack our site again. What about their server you say? An attack on their server would be next to impossible and even then the data is encrypted, so it would essentially be useless.
We have constantly monitored our site intensely and we deeply investigate every inquiry regarding the possibility of subsequent breaches, but to date we have found zero evidence that any further info has been breached outside of the window earlier this year.
We certainly understand everyone's concerns regarding the safety of their information and think it is a good thing that many people are so hesitant. As painful as this experience was for us, it did serve to teach us a lot about the capabilities of the attackers and what can be done to prevent them. As a result, we are way more prepared and protected than most other sites you may visit and are more confident than ever that the sensitive info customers input on our site is safe and sound.
Yes, unfortunately our site was attacked and a data breach did occur earlier this year. We have directly notified all customers that were possibly affected by the attack to let them know that their information may have been vulnerable.
Since then we have made several changes to improve security and secure our customers' data. One of the main steps we took was to hire an established and well respected security firm to handle our payment processing. As a result, our site is 100% Level 1 PCI Compliant and is more secure than 99.9% of websites online. For the more technical savvy I have included a bit more info below about how payment data is handled so that it is no longer stored or even really entered on the MFS website. I'm not an expert in this field, but I'll explain it the best I can.
1) During the payment phase of checkout the credit card number and CVV number fields are served using an iFrame from the security firm that handles our payment processing
2) Customer enters their sensitive payment info directly into the iframe and submits it directly to the security company (data is encrypted and therefore not vulnerable to cross site scripting)
3) Security company replies with tokenization value rather than full payment data to confirm valid data was received
Using this method customers are actually never inputting their payment data into the MFS site. It looks like you are submitting it to the MFS site, but because of the iframe the fields with the sensitive data are actually submitted directly to the security firms’ site where it is encrypted. Video about how it works can be found here: http://www.hostedpci.com/iframe-security/
Also, for those asking about payment info saved on their account so that they don't have to reenter it when placing another order, this info is not saved on the MFS site either. It is encrypted on the security company's server and therefore cannot be accessed by anyone if they were to attack our site again. What about their server you say? An attack on their server would be next to impossible and even then the data is encrypted, so it would essentially be useless.
We have constantly monitored our site intensely and we deeply investigate every inquiry regarding the possibility of subsequent breaches, but to date we have found zero evidence that any further info has been breached outside of the window earlier this year.
We certainly understand everyone's concerns regarding the safety of their information and think it is a good thing that many people are so hesitant. As painful as this experience was for us, it did serve to teach us a lot about the capabilities of the attackers and what can be done to prevent them. As a result, we are way more prepared and protected than most other sites you may visit and are more confident than ever that the sensitive info customers input on our site is safe and sound.