The Green Sheet Online Edition
December 14, 2009 • Issue 09:12:01
Holidays a boon for data thieves, too
For many retailers battered by a difficult economy, this year's holiday season offers not only a little festive mirth but also their best chance to climb out from the doldrums. Yet, the year-end retail surge is liable to be a boon for thieves as well, according to Bob Russo, General Manager of the PCI Security Standards Council. Accordingly, Russo recommends that retailers be particularly vigilant about theft this month.
"Tis the season to be stealing," Russo said.
A number of dangers
One source of heightened peril is simply the leap in overall sales volume during the holidays, which gives thieves more opportunities to strike by the sheer number of people using payment cards.
Russo said purchases around the holiday season also tend to be larger per ticket than they are normally, and the National Retail Federation predicts 28 percent of shoppers will use credit cards this year to buy Christmas presents - meaning a lot of lucrative data will be floating around.
Another potential source of problems is increased reliance among retailers on temporary employees - many of whom are acquired hastily. Russo said that while short hiring windows often necessitate that employers forego thorough background checks, it is nonetheless important that they at least check potential hires' references.
"Who's to say somebody's not going to come in and spend two days raking you over the coals and then leave?" Russo said.
It is prudent to limit such employees' access to financial records and other sensitive information, Russo noted. He also recommended giving every employee a unique password for entering the company computer network; this serves as a deterrent to crime and a way to trace criminal activity in the event that it does happen.
"You've got to put [new employees] through some sort of training, stay on top of them, teach them what to do in case there's criminal activity they're seeing," Russo advised. "'Procedures' is the buzzword here. I hate to say this, but management hovering is a good way to keep track. If they see an authority, they'll certainly be toeing the line, so to speak."
According to Russo, vulnerability to theft is further heightened by the use of extra "satellite" cash registers and payment terminals to cope with the bombardment of shoppers. Extra stations make it hard for managers to properly monitor transactions, and new and unattended terminals are significantly more vulnerable to tampering.
Usually such tampering involves placing a "skimmer" onto a terminal, which lifts the data off any payment card subsequently used on that device. Skimming agents often fit seamlessly onto terminals, making them hard to detect even under normal circumstances. Russo said they are even more likely to go unnoticed when used on new payment terminals unfamiliar to store owners.
Vulnerable cash registers and terminals
Russo recommended taking pictures of payment devices and checking regularly for discrepancies between the pictures and the physical terminals. He also suggested running a hand across the top of all terminals periodically to check for raised surfaces or uncovered screws, both of which can indicate the presence of a skimmer. "You want to make sure that to some degree you have [POS equipment] in a protected area," Russo said. "You can't put cameras up all over the place, but try to follow an ATM kind of a standard: make sure it's not two feet from the door where someone can shove their hand in and run away. And, finally, monitor what's going on on a regular basis."
Monitoring should always involve checking computer logs for potential criminal activity, Russo said. Some programs will alert retailers of potential fraud (for example, employees accessing records they're not supposed to see) via e-mail or text message, but most require that owners be proactive and check software records themselves. Generally speaking, bolstering security over the holidays should entail very little technical work, Russo said. "There's really a laundry list of things you can do," he said. "It's just simple things, nothing out of the ordinary, to protect what's going on this time of year when it's crazy."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.