CPAP.com takes security seriously. Our goal is to provide a comfortable and secure transaction whether it is performed online by the user themselves or over the phone with one of our Customer Service Representatives. We take every measure to ensure data is secure from start to finish.
- Is my credit card data secure with CPAP.com?
Yes, we do not store credit card data on our servers and all channels which carry this data are encrypted and protected to industry standards.
- Does CPAP.com store my credit card information?
The CPAP.com databases store the last 4 of your credit card and your expiration date. We store no other credit card information.
- If CPAP.com doesn't store my credit card information, how do you charge my card?
As you type your credit card number into our secure check out form it is encrypted and sent securely to our credit card processor.
When our processor receives your card information, they pass to us a token we can later claim that authorizes us to charge your card for your order total.
When we are ready to ship, we send this token to our processor, who runs your card and confirms payment.
In this way, we are able to never write your data to our database, but still charge your card.
- How do I know your credit card processor is secure?
Stripe has been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1.
This is the most stringent level of certification available. To view more information about this, click here.
- What would happen if you were breached or hacked?
We would inform affected customers and our payment processor.
Our payment processor would invalidate all payment tokens stored in our database. Were someone to attempt to use these tokens once stolen, their attempts to charge cards using them would fail.
- I would like you to remove my stored credit card information from your system.
On request, we will remove the last 4 digits of your credit card and expiration date from our system.
Our payment processor has their own data retention policy. We will request your data be "archived" in their system but they must retain some records of your transactions due to law and for record keeping.
- Where can I read full credit card, privacy and/or security policies of you and your vendors?
Stripe.com Security Page
- I think CPAP.com has been breached and my data stolen because other unknown charges have appeared on my statement.
In the case you are affected by a breach, we will notify you. In the case our processor is breached, they will notify us.
If you have not been notified, no breach has occurred.
We asked our payment processor for an explanation of how credit card black markets work and it is worth a read:
"It's a bit counter-intuitive, but when a credit card is used without cardholder authorization it doesn't matter what the card holder's last authorized transaction was--their card information is stored in lots of places, with varying degrees of security, and any of those places can be attacked or compromised at any time.
Generally, there are individuals / groups that specialize in compromising credit card information, and they then sell it to someone who specializes in using that stolen credit card information. Because there are different groups taking and using the information, it would be very unusual for the compromise-sale-usage to turn around in a few hours or the next few days, which means it's highly unlikely that...[a customer's card that showed unauthorized charges the day after a CPAP.com purchase]...was related to the unauthorized charge.
If the customer is concerned about potentially fraudulent activity on their card, the best course of action is for the customer to contact the businesses listed on the unrecognized charges for more information about each charge, and if necessary, to issue a dispute with their credit card issuer."
- Is my order secure?
We use proprietary, custom built MadCow software to protect your billing information. Secure Sockets Layer (SSL) encrypts information and keeps the data private and confidential between your machine and CPAP.com. This technology makes it safe to transmit your credit card number over the Internet. The "s" after the "http" in the URL address line lets you know when you are on a secure page.
We host our website on dedicated servers guarded by Rackspace, one of the oldest, largest and most trusted names in webhosting. Our security certification is issued and maintained by GoDaddy, a world leader in SSL technology. We also are McAfee secure, meaning that we pass a daily security test to ensure there are no viruses, spyware, or other online threats.
GoDaddy Security Certificate Information
McAfee Secure Information
- Is my personal and order information private?
Our company also strictly follows the 1996 Health Insurance Portability and Accountability Act (HIPPA).