A Thing
The Green SheetGreen Sheet

Monday, November 30, 2009

Holidays a boon for data thieves, too

For many retailers battered by a difficult economy, this year's holiday season offers not only a little festive mirth but also their best chance to climb out from the doldrums.

Yet, the retail surge expected of the coming weeks could be a boon for thieves as well, according to Bob Russo, General Manager of the PCI Security Standards Council. Accordingly, Russo recommends that retailers be particularly vigilant about theft this month.

"Tis the season to be stealing," Russo said.

A number of dangers

The sources of heightened peril are many, Russo said. One is simply the anticipated leap in overall sales volume, which will give thieves more opportunities to strike by the sheer number of people using payment cards.

Russo said purchases around the holiday season tend to be larger per ticket than they are normally. He added that the National Retail Federation predicts 28 percent of shoppers will use credit cards to buy Christmas presents this year – meaning a lot of lucrative data will be floating around.

Another potential source of problems, Russo said, is an increased reliance among retailers on temporary employees, many of whom are hired hastily and without the use of proper background checks. Russo said that while short hiring windows often necessitate forgoing thorough background checks, it is nonetheless important that employers at least check the references of potential hires.

"Employees are pretty transient this time of year," Russo said. "Who's to say somebody's not going to come in and spend two days raking you over the coals and then leave?"

It is prudent to limit the access such employees have to financial records and other sensitive information, Russo said. He also recommended giving every employee a unique password for entering the company computer network – a measure he said is both a deterrent to crime and a way to trace criminal activity in the event that it does happen.

"You've got to put [new employees] through some sort of training, stay on top of them, teach them what to do in case there's criminal activity they're seeing," Russo advised. "Who do they contact? Where do they go first? 'Procedures' is the buzzword here. I hate to say this, but management hovering is a good way to keep track. If they see an authority, they'll certainly be toeing the line, so to speak."

Russo said the dangers of both employee and customer theft are further heightened by the use of extra "satellite" cash registers and payment terminals to cope with the bombardment of shoppers. Extra stations make it hard for managers to properly monitor their money, and new and unattended terminals are also significantly more vulnerable to tampering.

Usually such tampering involves placing a "skimmer" onto a terminal, which lifts the data off any payment card subsequently used on the device. Skimming devices often fit seamlessly onto a terminal, making them hard to detect even under normal circumstances. Russo said they are even more likely to go unnoticed when used on new payment terminals with which store owners have little familiarity.

Vulnerable cash registers and terminals

As a precaution, Russo recommended taking pictures of such devices and then checking regularly for discrepancies between the pictures and the physical terminals. He also suggested running a hand across the top of all terminals periodically to check for a raised surface or uncovered screws, both of which can indicate the presence of a skimmer.

"You want to make sure that to some degree you have [payment acceptance equipment] in a protected area," Russo said. "You can't put cameras up all over the place, but try to follow an ATM kind of a standard: make sure it's not two feet from the door where someone can shove their hand in and run away. And, finally, monitor what's going on on a regular basis."

Russo added that monitoring should always involve checking computer logs for potential criminal activity. Some programs, he said, will alert retailers of potential fraud (for example, an employee accessing records he's not supposed to see) via e-mail or text message, but most require that owners be proactive and check their records.

Common sense measures

Generally speaking, bolstering security over the holidays should entail very little technical work, Russo said.

"There's really a laundry list of things you can do," he said. "It's just simple things, nothing out of the ordinary, to protect what's going on this time of year when it's crazy."

end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Facebook
Twitter
LinkedIn
2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing