While a case of the sheer magnitude of the TJX case had never been seen before, breaches are nothing new. DSW Shoes, Polo Ralph Lauren, and BJ’s Wholesale have all had the misfortune of falling victim to data breaches, exposing millions of card numbers over the last couple of years. Retail companies have faced increasing struggles with protecting credit card data as the use of plastic has continued to increase.
Since security responsibilities tend to fall from the high-level executives down at a retail company, managers at retail outlets — big and small — must make customer credit card data security an absolute priority. If it isn’t, you could be setting yourself up for disaster. Managers must be vigilant when it comes to sniffing out potential security threats. They are on the front lines and have to be on the lookout for fraud, scams, and breaches at all times.
The tips below are designed to help retail managers keep an eye on possible weak spots thieves can exploit.
1. Don’t Write It Down.
Believe it or not, a number of retailers are still physically writing down customer credit card information. Whether it’s happening on telephone orders or in stores, cashiers and salespeople throughout the retail industry are still putting pen to paper in order to get payment information. While on the surface this may seem harmless, writing card numbers on paper creates an additional opportunity for fraud to occur by creating an unnecessary copy of the card that ends up on a floor or in the garbage. The practice of “dumpster diving” by would-be thieves is very real and very effective.
Retail managers must institute a “no-write-down” policy for their employees. At no point should an employee ever write down a customer’s credit card information, regardless of the reason — it’s simply not worth the risk. For larger outlets this commandment is relatively easy to follow as they have the ways and means to employ sophisticated payment technology solutions that can eliminate the need to write down sensitive information. Adjusting to the “no-write-down” policy will take some initial financial commitment for smaller retailers as they make payment technology upgrades, but they need to know that doing so will save their companies’ wallets and reputations in the long run.
2. Keep an Eye on Your Credit Card Processing Equipment.
Retail managers also need to keep an eye on payment hardware as data thieves are attaching or installing covert devices to self-swiping stations. In fact, not too long ago, convenience store chain Stop & Shop fell victim to a data breach. Criminals had broken into checkout-line card readers and planted “bugs” designed to steal customers’ credit card information. In the end, Stop & Shop was unable to tell just how many identities they lost.
Retail managers should train their staff to monitor payment equipment — especially pieces that customers use on their own such as card readers or self-checkout scanners. Doing so will help the company avoid yet another danger of credit card theft.
3. Use Card Number-Free Receipts.
Another data security no-no is printing out the actual credit card number on the transaction receipt. The payment card industry (folks like American Express, Visa, MasterCard, and Discover) set out data security standards specifically stating that printing complete credit card information out on a receipt is strictly forbidden; however, a number of retailers do it anyway.
For whatever reason, there are scores of companies that, for each transaction, print out a receipt that has the customer’s credit card information included. While this may seem like a harmless, after-the-fact action, the reality is that many of those receipts end up in the trash or get misplaced. Remember “dumpster diving”? Receipts are an even better find as they are proof that a card recently worked. In some cases, they even contain the customer’s name, making it that much easier to use the number in a fraudulent fashion.
As a retail manager, if you see that your system is printing receipts with customer credit card information included, take the initiative to demand that your company implement a payment technology upgrade. Although this is one of the easiest ways thieves can get their hands on credit card data, it is also one of the easiest to avoid.
4. Understand Your Payment System.
Beyond the physical opportunities for credit card data theft, the largest danger lies in the payment process itself. For retailer managers and their employees, this is the virtual world where electronic data flows to and from a number of touchpoints in order to be approved or declined for the sale. At the end of the sale process, the details of this electronic data are stored on computers by companies, allowing for future access to the data. By default, having this large quantity of credit card numbers in one single location begs for hackers to target these systems, looking to score large quantities of data at one time.
While the data is certainly at risk as it is being passed among the stores, the banks, and the card companies, the storage of this data at the end of the process is by far the riskiest. Picture a warehouse with mountains of files containing credit card data — each one with a name, account information, an address…an exact copy of a customer’s credit card. This is where data thieves can access bulk quantities of credit card information.
As a manager, take some time to understand your company’s payment system and be familiar with the latest trends in credit card data security. Learn how and why your company may be storing this highly sensitive data. You may want to talk to senior management about upgrading your systems and possibly even partnering with a new credit card processor that offers the latest technologies in data security. Nobody wants to be the next headline as the latest company to lose credit card data and, ultimately, the trust of their customers.
Make It Safe, Make It Happen
When it comes to securing customer credit card data, retail managers have a tremendous opportunity to make sure their company is following proper security protocols such as monitoring card equipment or outsourcing all card processing. Not doing so could cost your company millions in lost business and damaged reputation. You are on the front lines. Take the time each day to follow these tips, and become the voice of data security for your company. The boss will thank you.
About the Author
Jason Gwynn is the vice president of sales at Electronic Payment Exchange (www.epx.com), a leading provider of payment processing solutions headquartered in Wilmington, DE. EPX is the developer of BuyerWall, the first and only cardholder data protection system that eliminates merchant liability while allowing complete control of the customer experience. For more information on credit card data security, news, and solutions, visit www.dontbethenextheadline.com or call 302-264-3110.