Focus on Security…and PCI Compliance Will Follow

While surfing LinkedIn recently, a user’s posted question caught my eye.

The user, a small merchant, asked whether his approach to PCI compliance was the most cost-effective way possible. As his business was recently classified as a Level 4 merchant, he said he needed only “focus on those areas where we may fall short.” He also said free or low-cost solutions might be the best option because while “not very user friendly,” they do “tick the right PCI boxes and get us PCI compliant.”  

The poster then went through several security measures he was considering, including internal scanning and file-integrity monitoring. “Or am I just wasting my time?” he asked.

Well, no. Anything you do to make your business more secure is a good thing.

But, as another LinkedIn user correctly pointed out, the merchant was asking the wrong questions.

Instead of focusing on how to (and how much) it would take to better secure customer information, the merchant instead was laser-focused on simply becoming compliant.

This is the wrong approach, tactically and psychologically. The PCI Data Security Standard is a way to validate basic data security. It’s not the Yellow Brick Road to Oz. It’s only a tool—a pretty good one—to help minimize danger along the way.

Neither I nor the other LinkedIn user, I’m sure, believes this merchant doesn’t care about the security of his customers. But the things the poster, and any merchant, should be focusing on first are the steps to improve the overall safety of cardholder data.

Steps like:

• Using a compliant payment application. You can access these applications here.
• Securing transactions. All cardholder data must be encrypted during transmission.
• Conducting regular Web application and vulnerability scans. If you have externally-facing IP addresses, conduct regular scanning to identify critical vulnerabilities for remediation.
• Setting cardholder data storage policies. Merchants should not electronically store credit card data without a compelling business reason.
• Setting access policies. Employees who don’t need access to sensitive customer information should not be given access.

As for the LinkedIn question, the reader who responded to the merchant’s post had a particularly valid point: “If you are worried about the cost (to become) PCI DSS compliant, check on the alternative. Be non-compliant when your system is compromised, then you will be talking about real money and possibly your company will go out of business.”

I couldn’t have said it better myself.

‘Till Next Time,

Joan
The eSecurityDiva

Study: Merchants Need Better Guidance on Security

If your store was breached, could you prove you were PCI compliant?

In a new survey, 45 percent of small merchants who claimed to be PCI compliant said they did not have the documentation to support their Self Assessment Questionnaires. This key statistic indicates that many merchants are just “going through the motions” when it comes to becoming compliant with PCI guidelines.

Thankfully, the majority of these polled merchants were aware that PCI compliance was of value in securing customer data. In addition, 88 percent of them said they viewed data security as a “high” or “medium” priority.

The report, sponsored by my company, ControlScan, as well as the National Retail Federation and the PCI Knowledge Base, outlines some surprising facts about small merchants’ attitudes toward data security and provides recommended solutions to this crucial issue.

A key implication of the report: Acquirers, ISOs and other providers serving the retail industry need to exercise more leadership and better guide merchants along the path to PCI compliance.

Why do these players need to do more? More than half of the 220 polled merchants said they depend on their merchant banks and point-of-sale or payment-application vendors for this knowledge. Also, while awareness of the PCI standard is high among small merchants, the level of understanding about PCI and how to comply is not. Of the merchants who said they were not PCI compliant, the reasons cited included “don’t understand it”, “don’t have the resources” and compliance is “too hard.”

Most merchants want to be more secure and PCI compliant, but they are confused about how to go about doing it.

But don’t just take my word.

“We want to comply,” one survey taker said, “but we’re not IT gurus. Please educate us and make it clear what we need to do.”

So…here are a couple of things ISOs and acquirers can do—now—to help merchants protect credit card data:

• Loose the jargon! Explain to merchants in an easy-to-understand manner how to be more secure. Get tactical, provide the specific guidance small merchants need.
  
• Educate them on the very real risks of non compliance. Things like, 85 percent of all breaches occur at small businesses. And that fines can reach up to $25,000 monthly until compliance is achieved.
  

You can read the full report, “What Small Merchants Know (and Don’t Know) about PCI Compliance”, here.

I’ve said this before. No measures will completely eliminate the threat of hackers. As long as there is money to be had, hackers will always be there. Waiting. Scheming. Evolving.

Further, we all know PCI compliance is not perfect. But I firmly believe that if we all work a little harder—as a team—data security can improve substantially.

'Till Next Time,

Joan

The eSecurityDiva

What Happens in Vegas Will Be Everyone’s Business…If You’re a Retailer

You’ve heard the saying. What happens in Vegas stays in Vegas.

That might be true for vacationers. But thanks to a new Nevada law, merchants in that state won’t have it so easy: If you receive, transmit or store payment card information, and you’re not PCI compliant next year, you’ll be breaking the law.

Yes, Nevada has become the first state to legislate full PCI Data Security Standard compliance. Only Minnesota’s 2007 law, which involves a small portion of PCI rules, comes close. California and other “progressive” states haven’t even touched this; they’ve only passed breach notification laws or other less strict data privacy laws.

If you’re a merchant in Nevada, the effect is obvious. Comply or face additional penalties on top of those imposed by credit card brands. Plus, the new law, SB 227, among other things, particularly mandates the encryption of transmitted customer data between entities. (PCI DSS already requires this, by the way).

If you don’t do business in the Silver State, the effect could be the same. That’s because many experts, with good reason, predict other states will follow suit. Time and time again, states have followed California’s lead on similar issues.

Whether you like PCI DSS or not, or government regulation on this issue, there are some serious questions to think about.

What happens if 50 different states pass 50 different PCI-related laws? That could be rather confusing, cumbersome…and expensive. At least with Sarbanes-Oxley, a controversial accounting oversight law, it’s federal. That means one rule. In 50 states.

Also, the PCI Security Standards Council went through a thorough process to come up with its rules. Some experts such as David Taylor, founder of the PCI Knowledge Base, worry that state legislators will not go through the same processes. In a recent blog post, Taylor laments the fact that the Nevada law makes a point to add encryption…when it was already included in PCI rules. (Further, encryption itself is hardly standardized.)

“This is more proof that government organizations should not be writing technically-detailed security legislation,” Taylor writes. He continues: “Since security legislation does not have to go through such as process, I remain skeptical that state, federal or international legislation can improve on what PCI DSS already provides in terms of technical detail.”

I also wonder how strictly, if at all, these state laws will be enforced. Other things to consider—will Nevada’s upcoming law, and other PCI-related laws, actually put a dent in fraud?

Quoted in BankInfoSecurity.com, Tom Wills, a senior analyst for Javelin Strategy and Research, says Nevada’s interest is a step in a right direction. But, ultimately, “I don’t expect fraud to drop significantly because of it—until we see a strong educational push,” he says.

Bottom line, legislation might spread the wrong belief that PCI compliance is the absolute goal. As I’ve said several times in this blog, PCI compliance is only a point-in-time measurement. Security is an ongoing process.

I hope our state legislators have a firm grasp of this concept when they tackle this very important issue.

Till Next Time,

Joan,
The eSecurityDiva

Tired of Shopping Cart Abandonment?

If you’ve tracked visits to your ecommerce site lately, you’ve likely noticed that as many as half of your shoppers got cold feet at the last minute…right before the part where they were supposed to click “Pay Now.”

Known as shopping cart abandonment, it’s a major issue that ecommerce technology companies and consultants are tackling.  

The reasons are plenty why a shopper would go through the effort to fill his or her cart and then bail out. Uncertainty of the economy is likely one major cause. A horse racing fan would be happy to find, say, a bronze replica of Mine That Bird, the 2009 Kentucky Derby winner, on your site. But then things like sales quotas and job security come to mind. Your shopper then becomes just a visitor.

Well, according to a new ecommerce report by PayPal and comScore, the No. 1 reason for abandoned carts is sticker shock. Not on the product itself but on the cost to ship that product. In a poll of U.S. consumers, 45 percent said they had abandoned an order at the last minute because of higher-than-expected shipping fees.

So what’s a solution to this? The report indicates that 40 percent of those people who cited shipping costs as the No. 1 reason would not have abandoned the purchase if the retailer had provided shipping fees upfront. Transparency is key here, folks.

Another reason why shoppers bail, the study says, is concern over credit card security—21 percent.

What does that mean in dollars? According to a March report by Javelin Strategy & Research, this fear equated to $21 billion in lost sales in 2008! That’s a lot of abandoned carts.

Nothing will eliminate this fear because it’s based in reality. Identity theft and credit card fraud are growing exponentially. And so are the headlines of data breaches.

But there are steps you can take to decrease shopping cart abandonment and increase shopper confidence:

• Go through the effort to get your site scanned for security and PCI compliance. Make sure you address any known vulnerabilities immediately.  And work with your PCI vendor to ensure that scans are conducting regularly, at least weekly.
• Display the security seal you earned proudly.
• Make your contact information prominent. And provide an address. Your prospects want to feel as if you’re a real company with a real locale. Not some faceless store in the netherworld of virtual space.
• Make your privacy policy prominent too. Communicate clearly that you won’t be using your prospects’ info for anything other than processing their orders.
• Provide product reviews if applicable. When a shopper sees customer reviews, there is just something real they bring to the table. Reviews convey a sense of community…and hence a feeling of security.

You can’t do much about the economy part—36 percent of respondents said “lack of money” was the primary reason for changing their minds. But with a little work, you can do a lot to inspire more confidence.

‘Till Next Time,

Joan,
The eSecurityDiva

Batteries.com Breach: Headaches All Around

The recent breach of online retailer Batteries.com may have escaped your attention.

The Indiana-based company, according to a few reports, issued a letter to officials in New Hampshire indicating that hackers penetrated the Batteries.com network over a period of two months from February to April 2009. In the letter, the company indicated that 865 residents of New Hampshire had been victimized. Stolen data included customer names, addresses and credit card details.

Some of that data, Batteries.com says, was used for fraudulent purposes.

Information has yet to be released on how many victims there are outside of New Hampshire. But I don’t think a hacker would have a grudge only against residents of the “Live Free or Die” state. It’s safe to assume many more customers’ identities and credit card accounts have been affected.

Those customers will undoubtedly suffer severe headaches. Dealing with credit card companies. Credit bureaus. Banks. Automated phone systems. Paperwork. The list goes on.

One alleged Batteries.com customer on this message board said he had “thousands of charges” on his credit card from someone in the United Kingdom.

“(I)t looks like the operation is very sophisticated,” the poster says. “Some of the charges occurred within 1 second of each other and must have been automated because one of the companies, British Airways, indicated that they do not permit an airline ticket to be purchased by somebody and paid for by somebody else, and the card ‘looked’ like it was issued in the UK…I suspect thousands of other victims are seeing charges on their cards too.”

But Batteries.com, and any other merchant who is hacked like this, will also suffer severe headaches. First of all, the company will be issuing two years of free credit monitoring services to victims. Second, how many of these victims are likely to shop at Batteries.com again? And what about negative press coverage?

Further, can you imagine the amount of costly and time-consuming forensics work that goes into determining the details of two months worth of hackings?

As a merchant, if you are breached like this, you’ll pay a forensics auditor $250 an hour to spend days—many times several weeks—to pour through your “log” files, which register all events on your network. These auditors will conduct “reverse engineering” and scour your network for all sorts of data, such as if any users accessed your network from unusual locations. If your log files have been compromised, or not backed up properly, the process can even take longer.

An IT forensics audit is so complex that Visa has certified only seven vendors as “qualified incident response assessors.” (The data gathered during these audits, by the way, help companies such as Verizon Business, one of the seven assessors, publish great breach reports like this.)

An IT forensics audit, in many ways, is similar to a homicide forensics exam. But an IT audit can cost you $20,000 or more when it’s all said and done.

That may be good news for Visa’s qualified assessors. But for small merchants, a massive breach can be devastating.

‘Til Next Time,

Joan
The eSecurityDiva.

When it Comes to PCI Compliance, You Need a Partner

As Payment Card Industry deadlines come and go, I’ve noticed a rash of acquiring banks, card processors, ISOs AND vendors jumping into the mix to get a piece of the compliance pie fees.

So, what does this mean for small- or medium-sized merchants? Well, this influx does show that companies of all walks are becoming more aware of security and PCI compliance. That is good.

But the influx also means plenty of opportunities for questionable practices that may not serve to improve the true state of security with the best interest of the merchants. That is not good.

Becoming PCI compliant is a daunting task for any merchant, especially small merchants. Whether you’re a merchant or an acquirer, you should learn more about security and PCI before selecting a compliance partner. You should also beware of simply going with the vendor who offers the lowest fees. Understand what you can expect from the PCI vendor and make sure the result is a more secure business.

Despite the inherent complexities surrounding PCI compliance, we’ve all seen ill-conceived  programs that don’t provide the most basic of services or support to merchants. Some don’t even provide a basic education in PCI. Bottom line, smaller merchants need real help with becoming—and staying—compliant.

After all, no one wins if you get fined. Or worse, breached.

Which makes me think. What is really driving this behavior? Is it to protect shoppers’ payment card data? Is it to minimally satisfy the card brands’ mandates? Or is it to create an incremental revenue stream?

Can these drivers co-exist…or are they mutually exclusive?

Some recent trends suggest to me that it will take a while for the PCI market to shake out. Merchants and acquirers will eventually grow wise to shoddy activity and will gravitate toward quality PCI-compliance services. Unfortunately, in the meantime, not enough is being done to truly advance increased security for small merchants. 

Congress is aware of this, as we’ve seen with the recent PCI hearings. As the pendulum tilts toward more regulation on everything from carbon emissions to debt lending, this lack of true security improvements could ultimately lead to Congress legislating compliance—which the PCI Council has been diligently working at to avoid.

Worse, these trends will hurt your efforts to become PCI compliant, which will ultimately leave your shoppers more exposed to hackers and data thieves.

As the new PCI market begins to mature, having the right partners will help you stay compliant in the most efficient manner possible. Having the right partners will also ensure you’re not being taken advantage of.

‘Til Next Time,

Joan
The eSecurity Diva

More Has to Be Done to Enhance Security. But What?

If you read about the recent Congressional PCI hearings, you know just being PCI compliant doesn’t equal security. PCI compliance is only a point-in-time measurement.

So…what’s a small- or medium-sized merchant to do?

After all, the PCI compliance process can be challenging enough. But now, it’s become crystal clear that retailers, even the smallest of ones, have to make sure they’re going above and beyond what the credit card companies mandate.

Remember the Hannaford Bros. breach last year? Hannaford was certified PCI compliant by a third-party assessor—one day after the grocer was notified of massive system intrusions that had occurred months prior. The likely cause? The hackers’ malware intercepted data on magnetic strips as they were swiped by customers.

That doesn’t mean PCI compliance is worthless. Not by a long shot. In fact, Visa maintains that no company suffering a breach has been proven to be PCI compliant at the time of the compromise. It’s important to remember that PCI security standards are industry best practices that have protected tens of thousands of merchants—and cardholders—against malicious behavior. 

 But these standards still have room for improvement. The PCI Security Standards Council is continuously seeking feedback from merchants, processors and other industry stakeholders on ways to strengthen the standard. To this end, the council has recently commissioned a study on emerging technologies that could further protect cardholder data. 

The PCI data security standards, according to a recent report by the Society of Payment Security Professionals, “must be recognized for what (they are)—a tool in the protection of data rather than the last line of defense.”

I know it’s easy to put security on a lower priority list, especially if you’re a small retailer. But if you are a smaller retailer, you’re a bigger target. That’s because savvy hackers know you have fewer resources on hand, including money and time, and are often running older, unsecure payment application versions.

And trust me, it’s well worth your money and time to take security seriously. If a breach has been detected in your system, you may be responsible for:

• A “forensics” examination, which can cost $10,000 or more, according to www.pcicomplianceguide.org.
• Between $5,000 to $50,000 (or more) in compliance fines.
• Legal fees.
• Up to $10 per card for replacement.
• Complying with breach notification state laws as applicable.
• Restoring your customers’ confidence.

Total costs for a breached “Level 4” merchant, or those processing fewer than 20,000 e-commerce transactions annually and all other merchants processing up to a million transactions, average $36,000 and may be catastrophic for small businesses.

So, what can you do to prevent the hassles and potential business killers of a breach? First, let’s address a few things smaller merchants must do to become compliant:

• Complete an annual Self Assessment Questionnaire.
• Pass quarterly vulnerability scans (merchants with externally facing IP addresses).
• Develop in-house information security policies.
• Launch security awareness training for you and your employees.

Don’t approach PCI compliance with a “check-the-box” mentality. Use it as an opportunity to maintain a high security posture and make it part of your daily routine.  Remember, defending against criminals is not a one-time event, it’s perpetual.  

Of course, the burden shouldn’t be completely up to retailers. Banks, processors, gateways, credit card companies and security providers all have to do a better job at coming up with new methodologies, technologies and education programs to help you better protect your business and your customers’ important information.

Congress agrees.

At the hearing, a number of suggestions came up, including the need for the United States to adopt encrypted PIN technology and smarter credit cards. For years, several European countries have been using chip cards, which have small computer processors on them. Chip technology can protect against “skimming,” which involves the copying of private information from the magnetic stripe. A chip, on the other hand, cannot be copied.

According to Rep. Yvette Clarke, chairwoman of the subcommittee that held the hearing, such technologies can help reduce incidences by nearly 70 percent!

Here are some other steps advocated by the Society of Payment Security Professionals:

• The reduction of sensitive data storage. The less crucial data you have on premise, the less data can be stolen.
• The adoption of a more structured IT governance program. This would push us from a system of simple compliance to “real security.”
• The deployment of a more collaborative approach to address security issues. By sharing information, new security issues and fixes will arise.

I want to hear from you. What needs to be done to improve the PCI compliance process? How can ControlScan help educate you on what you need to do to become PCI compliant? And what can be done to improve security at our nation’s retailers?

Until Next Time,

Joan,
The eSecurityDiva

Choosing the Best Hosting Provider for Your Website

We talk to thousands of small merchants each month.  Their questions span many topics, but we’re often asked if we can provide any guidance in helping a small merchant select a hosting provider.  Our customers are looking for a provider who will meet their specific business needs and offer a cost-effective  solution.

David Abouchar, senior director of product management at ControlScan, recently led a podcast on this  topic. In the podcast, "Tips to Choosing the Best Hosting Provider for your Website", David gave insight into the kind of questions you should ask and the level of support you should expect when choosing a hosting provider.  A few of the key takeaways that I think you’ll find helpful are:

• Anticipate your Website traffic and how you will be processing credit cards first so you can determine the right hosting plan.
• Decide whether or not you will need managed or unmanaged services based on your technical resources.
• The level of support is a key consideration. Know up front how and when support will be available to you.
• Use your resources. Ask your Web designer and other vendors for referrals.
• Be sure to review the agreement and contract terms in detail before your final selection. Know which services covered in the base services agreement and which are not.
• Make sure the hosting provider you select is PCI compliant as this will greatly simplify your own PCI compliance process.

To learn more about choosing a hosting provider, check out the podcast by visiting https://www.controlscan.com/podcasts/choose_best_hosting_provider.php.

'Til next time,

Joan

The eSecurity Diva

.

Congress: If You’re Just PCI Compliant, You’re Not Secure

Is regulation coming to a point-of-sale device near you?

It certainly appears so. At least if the credit card ecosystem—banks, processors, security companies, assessors and retailers—doesn’t do more to ensure consumer transactions are safer.

Last week, Congress held hearings designed to get to the bottom of what is being done, and what can be done, to help stem the tide of cyber fraud and identity theft. It left little to debate. More has to be done. Now.

Bottom line, said a no-nonsense Rep. Yvette Clarke, chairwoman of the subcommittee that held the hearing, just being PCI compliant does not guarantee security.

Clarke said a recent investigation found PCI standards are of “questionable strength and effectiveness.” As a result, she warned, retailers need to take proactive measures to protect themselves and their consumers. She also said new security technologies and practices are needed—ASAP:

“The time for waiting is over. The time for shifting risk is over. Today, the responsibility is yours to make this situation better.”

Clarke spoke those words to a panel consisting of high-ranking representatives from the Department of Justice, the PCI Security Standards Council, Visa, Michaels Stores and the National Retail Federation.

For a change, it certainly appeared to me that our elected officials got it. And I also think the panel did an excellent job delivering a down-and-dirty assessment of the strengths, limits and dangers of our current security compliance system. Even if they did shift blame a little.

I think we all can appreciate just how vulnerable we are when Rep. Dan Lungren, vice chair of the committee, admitted his family was recently a victim of credit card fraud. He was particularly peeved at how he was informed: Embarrassingly, at a restaurant, when the waiter said his card wasn’t working. When Lungren called the credit card company, it didn’t have any information other than his account had been “compromised.”

Talk about more work to be done. If this can happen to Lungren, it can happen to anyone.

The PCI Council’s Robert Russo said his organization’s standards are solid. The challenge is that the council doesn’t enforce standards. That’s up to the credit card brands and the banks/processors. Many companies also approach PCI with a checking-the-box mentality. PCI compliance should be viewed as an opportunity to build solid security best practices for long term security versus point in time security. Visa’s Joseph Majka, meanwhile, said the credit card company never found a breached company to not be in compliance with PCI standards.

Regardless of these testimonials, data security standards need some work, said Michael Jones, CIO of Michaels Stores, who delivered a no-holds barred critique on the PCI compliance process. These standards were “set up for the credit card companies and banks to have all the power over fines and mandates,” Jones testified. “It is not an industry standards body.”

He continues: “We would be more secure…if the credit card companies would take more responsibility.”

Jones’ concerns: The inconsistencies, confusion, high cost and ambiguity in data security standards. Not to mention the credit card monopoly that controls these standards. While there is some debate over his particular issues, I agree PCI standards need to be much better. I also agree more responsibility can be shared. The retailer, after a breach, is left holding the bag. The retailer is demonized in the press. And it is often the one hit with fines.

We can debate the fine points of Jones’ concerns all we want. But it’s clear the United States is lagging behind. And it’s also clear retailers’ systems need to be better protected. While several European countries have enacted stricter and smarter standards, regulations and technologies, fraud has decreased in those countries. However, it is increasing globally, chairman Clarke points out. Why is this? Because hackers are taking advantage of countries with weaker technologies and security practices.

In other words, countries such as the United States. Of course, we must all keep in mind that the European countries' new technologies have much fewer companies to worry about versus the United States.

In a coming post, I will lay out some best practices specifically focused on small merchants. In the meantime, the seriousness of the situation cannot be underestimated. Not only are U.S. retailers the means of which more hackers are becoming rich, but U.S. retailers are also the means of which terrorists are financing their murderous activities.

Clarke reminded the panel that the 2002 Bali nightclub bomber financed his mission with credit card fraud.

Terrorists are clearly on the hunt for cyber vulnerabilities.

They could find that next vulnerability in your system.

Until next time,

Joan
The eSecurityDiva

The Greatest Threat to Retail Security Lies Within

In the best of times, retailers know that theft is a matter of when, not if.

In times like these, well, you can only imagine that the threat is amplified. Some estimates show retail theft soaring 20 percent over the past six months or so. For a small retailer, a 20 percent increase can be a death knell. It’s a serious increase even for the Wal-Marts of the world.

But before you cast an overly-cautious eye at the next customer who comes in, you may want to look within first.

I recently had a chance to talk to Terrence Shulman, head of the Shulman Center for Compulsive Theft and Spending. Companies a year ago—before the credit meltdown—he says, were losing $50 billion annually from employee theft. Shoplifting, meanwhile, accounted for $15 billion to $20 billion—60 percent less! Worse, Shulman says, shoplifters usually don’t habitually frequent the same locales. Employees, on the other hand, are there everyday. And on average, it takes 18 months to catch a thieving employee.

“It’s hard to live in an environment where you can’t trust anybody,” Shulman says. “But we all need universal precautions. Especially today.”

Shulman, author of “Biting the Hand That Feeds: The Employee Theft Epidemic,” is a therapist who helps people who are addicted to everything from shoplifting to credit card fraud. Oh, and in case you were wondering, he really knows what he’s talking about: He’s a former compulsive thief. He was even arrested—twice—for his crimes.

We talked about steps retailers can take to lessen employee theft. We also talked about the psychology of employee theft. After all, you can better prevent problems if you better understand them.

Yes, theft is up due to the bad economy. When people have less money, they steal more.

However, employee theft is also driven by anger at their perspective employers, not necessarily by a feeling of financial necessity. Lack of respect is a big driver, he says. Another driver is having their hours or benefits cut, or having increased responsibilities levied on them with no increased compensation.

Anger at the current business and political climate is also a factor. Many employees, he explains, see the headlines of “fat cat execs” getting million-dollar bonuses, while their failed companies are getting bailed out by U.S. taxpayers. This is leading to an “entitlement environment” in which some employees feel they deserve more than they really do, because others—such as bank CEOs, AIG execs, certain politicians, and even Bernie Madoff—are rolling in money they don’t deserve, Shulman says.

These feelings can manifest in stealing money, merchandise or even identities.

“People are beginning to think differently about ethics,” Shulman says. “They are increasingly thinking that life is not fair, that nobody is honest. When you’re working hard, and when you’re only criticized and not rewarded, this thinking increases. It might start off small. Like lying on a time card. Or taking office supplies home. Little by little, the seeds are planted.”

He continues: “They’re thinking, ‘Why should I be busting my butt for so little?’ It creeps in even with people of integrity. Over time, it becomes addictive.”

Which leads to how to decrease the probability that you will become a victim:

• Conduct background checks on prospective employees.
• Look into “honesty assessment” tests.
• Require letters of reference.
• Set up a probationary period for new employees. So not to make them feel like they’re under suspicion, make sure the policy is applied to everyone.
• Consider technologies such as more advanced cameras, RFID and barcoded timecards.
• Conduct random audits to limit embezzlement.
• If a theft does occur, prosecute. It may be tempting to forego the hassles of prosecution, but you’ll send a message to other employees. And you may actually help the thief out. Going to jail may be the catalyst that affects change in his or her life, Shulman says.

But perhaps the most important tip: Don’t forget the “human element.” Trust your intuition when interviewing a prospective employee. We can rely on all the technology in the world. But in the end, human instinct is often the most powerful tool in detecting—and preventing—bad behavior.

And…once you’ve hired an employee, treat him or her well! Employees who are respected by their employers are less apt to steal, Shulman says. Further, having happier employees may actually lead to less customer shoplifting. That’s because shoplifters often commit their crimes on a whim, perhaps when confronted by a rude or complacent employee. Happy employees are simply less apt to be rude or complacent.

And since we’re on the topic of the human element, watch the bottom-line instinct when confronted by decreasing revenue. The first thing many retailers do when facing financial pressures is to cut back on employees' hours. But this can actually cause increased opportunities for customer theft because there will be fewer eyes.

I’ll leave you with a few sobering and optimistic figures. According to Shulman, about 30 percent of retail employees will steal regardless of what you do; it’s just in them. However, 30 percent also will never steal, due to their good ethics. That leaves 40 percent that you can affect…

Positively or negatively.

Until next time,

Joan,

The eSecurityDiva