I emailed expansys, and got the following obviously canned reply:
> Dear Sir / Madam,
> You may not be aware that in an Internet transaction the retailer
> carries ALL of the transaction risk, not the credit card company.
> Even if we obtain an authorisation number on the basis of an address
> check, we are still 100% responsible for any fraudulent use of any
> credit card with us.
> >From your point of view, we hope you will realise that we are trying

> our best to ensure legitimate use of your card. While you may know
> that your card is not being used fraudulently in this instance, we
> have to take what steps we can to verify your identity, and so
> protect you against fraud.
> We ask for a fax copy of the card to prove that the person using the
> card actually has it in their possession, we need the signature to
> match it against the signature on the order confirmation and hence
> try to verify the identity of the person placing the order.
> As a value based retailer, we take what we believe is a responsible
> attitude towards safeguarding both you and ourselves, while employing
> off-line methods to verify customer identity in order to keep costs
> as low as possible.
> While we understand the inconvenience, we hope you understand why we
> make these requests. The information provided in some instances does
> occasionally clearly indicate an attempted fraud when other measures
> show nothing suspicious.
> Regards
> eXpansys
> UK - +44 (0)161 868 0868
> France - +33 467 457 780
> USA - +1 309 820 7913
> www.expansys.com

This doesn't explain why they want my credit card statement, or what
propose to do with the information they glean from it. (The bit about
the signature on the order confirmation obviously doesn't apply to an
order.) I've asked for further clarification, but am not holding my