EcigExpress Public Announcement regarding security - -

[linnx]

ecigexpress Public Announcement!

Dear valued customers,

In recent weeks, we have heard a number of concerns regarding the security of our website and of our customer transactions. To address these concerns, our site/system has been examined continuously by a number of security firms. The result of these examinations was that our system was completely clean and protected. Regardless, we have now updated to a higher security layer under Verisign, an EV SSL. This new security system is well above and beyond most online retail security systems, and is similar to the systems used at banks. This security system is also in compliance with PCI standards.

Also, please note that our system does not store any credit card information. Thus, there is nothing to hack from our site. In addition to the upgraded security, we have also switched payment processors, in an effort to cover all parts of the transaction process. We also continuously scan for Malware, and are undergoing automatic tests of our security every hour.

Please be assured that everything that can be done regarding this issue has, and is continuously being done. Our security is now tighter than ever before and we can say with every bit of confidence that we are conducting secure and safe transactions with our valued customers.

We thank you for your continued patience, understanding, input, and valued business!

Also, please view the following pics as other measures we have taken. The PCI compliance is mandatory which we have always been, but we have taken it even further.



Have a great day!

Best Regards,

ecigexpress TEAM

 

[Uma]

Bravo! Thank you for going the extra mile for us!!

 

[nahoku]

Thank you for posting this. I appreciate that ecigexpress has been listening to our concerns. I have not investigated any of the other supplier forums to see if anyone else is listening, but I will right after this.

Can I ask what specific date range your security was updated? I know it takes some time, but was this all done after Apr 29, 2013?

TIA

 

[linnx]

ecigexpress.com has always used advanced security technology to protect customer data. We strive to have the best security in the industry, but in light of the increase in credit card fraud worldwide, we took proactive steps to implement the same security technology that banks use. So, even though our security has always protected our customers, we implemented the most advanced security features in the world. I want to assure our customers that conducting transactions on ecigexpress.com is completely safe, and we will continually strive to best the best in the industry.

Our PCI scans and simulated hacks (A part of PCI compliance) have been in place since PCI compliance became mandatory (2 years or more?). We had the EV SSL installed May 6th and had our website audited by third party developer to compare all files for any changes (Searching for malicious code) this week. Even though nothing was found, and no differences in files were discovered, we consulted with security experts for anything else we can possibly do to ensure the safest possible shopping experience.

Thanks!

Thank you for posting this. I appreciate that Ecigexpress has been listening to our concerns. I have not investigated any of the other supplier forums to see if anyone else is listening, but I will right after this.

Can I ask what specific date range your security was updated? I know it takes some time, but was this all done after Apr 29, 2013?

TIA

 

[retrox]

Thanks very much for the reassurance, linnx. I'm sure we're all a bit disgusted by the criminals who appear to be targeting this young market, especially as it's an industry that is continually threatened by our very own government institutions in many cases. Persecution and grief from all sides, eh?

What I'm taking from your posts is that there were no security breaches or weak points at all detected over the course of testing the current incarnation of the new site. Is that correct? If there were even a slight hiccup in the site's security at any point, I'm sure it would ease a lot of minds to disclose that information.

Regardless, again, thank you very much for this response. This is precisely the sort of reaction that should satisfy your existing customer base, and help to expand it into the future. I look forward to placing my next order at ECX with confidence.

 

[nahoku]

ecigexpress.com has always used advanced security technology to protect customer data. We strive to have the best security in the industry, but in light of the increase in credit card fraud worldwide, we took proactive steps to implement the same security technology that banks use. So, even though our security has always protected our customers, we implemented the most advanced security features in the world. I want to assure our customers that conducting transactions on ecigexpress.com is completely safe, and we will continually strive to best the best in the industry.

Our PCI scans and simulated hacks (A part of PCI compliance) have been in place since PCI compliance became mandatory (2 years or more?). We had the EV SSL installed May 6th and had our website audited by third party developer to compare all files for any changes (Searching for malicious code) this week. Even though nothing was found, and no differences in files were discovered, we consulted with security experts for anything else we can possibly do to ensure the safest possible shopping experience.

Thanks!

Thank you for the reply, although I'm still unsure if my question was answered directly. As you might suspect, I'm one of those who just recently had my CC defrauded, and while everything is cleared up with my CC company now, it was a real pain and bother. The fraud was caught on Apr 29.

As I stated before, I'm very appreciative about what you've done here! Thank you!

nahoku

 

[linnx]

Just FYI for those with some interest and who may not know, some may not know this, but there are several layers (Third parties) to your eCommerce transaction (All e-commerce transactions around the world happen in this fashion - or similar - when Visa/Master/Discover/AMEX is used). Each layer is required to be PCI compliant and scanned for malaware and have secure process in place.

Hosting: This is the server that hosts the e-Commerce site. In our case it is located on a dedicated server at Nexcess.net

Website: The customer interface to browse a website and place an order.

Gateway: At the time you enter the cc details, the information is passed on to a payment gateway securely.

Merchant Account: Finally, payment goes through to merchant account.

Of course hackers are relentless creatures so we have to remain diligent in monitoring everything that goes on at the server level, utilize the services of TrustWave, Norton, McAfee, and have periodic audits of security. In addition, FTP logs are monitored to ensure no unauthorized files were modified.

Also, all sensitive systems require authentication by trusted IP to a whitelist. If one is not on the whitelist, one does not gain access to sensitive areas.

Please share your comments and suggestions

Thank you

 

[droach3]

Well played ecigexpress... well played!

I recently had some fraudulent charges after shopping at your establishment (and others) I place no blame but because of this post your establishment is the only one I will continue to shop at! Thanks!!

 

[JeremyGa]

I ordered from you this past week and now my card has been stolen for the second time. Your system is flawed. I order a very large amount from you, but after the second time having my card stolen after an order, you will get no more of my business. It's great that you tried to rectify the problem and this is in no way intended to be nasty, I just can't risk losing my account again for a week being a business owner, it's just not smart on my part to place an order with a company infested with fraud. You should not be able to accept another order until your issues with fraud are taken care of.

 

[linnx]

I do understand your concern. We have taken many precautions to prevent this from happening.

Just as preventative measures, we have compared every file on the server to originals, installed an EV SSL, had third party security audit, scanned for malaware daily. In addition to this, it is not possible to gain access to any back end system without being on a trusted IP whitelist. Also, we do not store credit card numbers on our systems. We have also changed our credit card processor and eliminated any possibility that it was a third party that processes the credit card.

There are countless ways for thieves to gain access to cc information, including credit card generators easily found by searching for them, malaware, phishing, etc.

I do understand the frustration as I've had to get many cards re-issued this year, and I only shop with this card on Amazon.com

We do put several test orders through ecigexpress.com weekly with a dedicated credit card for that and have not had any issues with it.

 

[supermarket]

I do understand your concern. We have taken many precautions to prevent this from happening.

Just as preventative measures, we have compared every file on the server to originals, installed an EV SSL, had third party security audit, scanned for malaware daily. In addition to this, it is not possible to gain access to any back end system without being on a trusted IP whitelist. Also, we do not store credit card numbers on our systems. We have also changed our credit card processor and eliminated any possibility that it was a third party that processes the credit card.

There are countless ways for thieves to gain access to cc information, including credit card generators easily found by searching for them, malaware, phishing, etc.

I do understand the frustration as I've had to get many cards re-issued this year, and I only shop with this card on Amazon.com

We do put several test orders through ecigexpress.com weekly with a dedicated credit card for that and have not had any issues with it.

Thanks for taking the time to come on here, and reply to the members concerns.

Also, you are definitely right, there ARE tons of ways fraud can happen, and credit card info can get stolen.


However, it is NOT a coincidence that fraud is happening in record numbers among the vape community. From a computer security perspective, it is obvious something is being exploited here in the vape community. I spent quite a bit of time last week contacting as many people as I could on these forums, and reading EVERY fraud thread I could, in order to find as much info as I could, to possibly help minimize the possibility of this happening again.

I found NO single vendor that can be singled out.....only a few vendors that definitely DID have an exceptionally high number of possible fraud cases. I won't make that public , I don't want to harm any vendors on here.


I came to the conclusion , like others, that is more than likely IS the credit card processing company's fault. Or at least it is on THEIR end that the fraud is occuring.

Thank you VERY much for changing your CC processing company. I think that is the best step you could have taken. You might want to put that on your vendor web-site if you haven't....to let others know.

Thanks

 

[DeeKien]

thanks for posting this. i was a victim before the post, it was frustrating to see my card charged 3 different countries lol but i am being reimbursed. you guys still worked well as a company to shipp out the products really quickly. have not received them yet because usps sent it for a scenic route to california before going into canada lol

 

[Uma]

I hope they show proof. We're now wrapping our cards in foil, even the supposedly non-scannable ones. (that's just a matter of time right). We might have been pocket scanned while waiting in line at the grocers or even at the bank itself.
I so hope ECX posts their security data like you asked, Buffaloguy, because they're a great place to shop for great products. I want all the protection I can get, we all deserve all the protection we can get, plus the absolute assurance of said security.

 

[linnx]

Thank you for your feedback.

We have gone through great lengths to ensure the security of the website. The documentation we have includes simulated hacks by third parties including TrustWave, McAfee, and Norton. In addition, all logs are monitored daily. Everything is on a dedicated server in which all activity is monitored.

If you have any specific questions, feel free to let us know.

You can reach us by calling 1-888-418-2215 from 10am-6pm Monday-Friday or visit us on location at 1321 Cornwall Avenue.

I hope they show proof. We're now wrapping our cards in foil, even the supposedly non-scannable ones. (that's just a matter of time right). We might have been pocket scanned while waiting in line at the grocers or even at the bank itself.
I so hope ECX posts their security data like you asked, Buffaloguy, because they're a great place to shop for great products. I want all the protection I can get, we all deserve all the protection we can get, plus the absolute assurance of said security.

 

[JimzDogz]

I'm glad to see that your trying. Good luck on the effort.