Keep an eye on temps, and other holiday season security tips for retailers

Temporary workers brought in to help during the busy holiday shopping season can sometimes pose a data security risk for companies. The council oversees the implementation of mandatory security standards for protecting credit and debit card data across the payment industry. Retailers that hire temporary help need to keep a watchful eye on them to reduce the risk of data compromises, said Bob Russo, general manager of the PCI Security Standards Council. With many retailers hiring temporary workers to handle extra business, vigilance is key, Russo said. "Management needs to hover at this time of the year, especially with temps," he said.

Proper access controls also need to be in place to prevent temporary workers from gaining access to other systems, he said. Temporary workers who handle credit card data or are involved in any form of payment processing need to follow appropriate security procedures. Training and background checks also need to be done as much as possible, he said. "When you hire somebody as a full-time employee, you have time to do independent checks. But if there is a way to perform checks, even if it is simply verifying references, it's important to do so, he said. "You've got to hope for the best but plan for the worst," in such cases, he said. You can't do that at the end of the year when you are trying to make the Christmas rush and you have about 40 to 45 days to make money," he said. Here are some other measures that security experts suggest retailers take to minimize data compromise risks during the holiday season: Monitor the use of temporary cash registers and handheld scanners.

It's a good idea to bolster physical security around these devices to ensure they are not tampered with, Russo said. Many retailers tend to increase their use of handheld scanners and satellite cash registers to speed up the payment process during the busy season. Without monitoring, it's easier to install a card-skimming device on a satellite register for instance, than it is in on a point-of-sale device in a permanent checkout lane. Install additional video cameras to monitor the use of such devices. Look also for signs of tampering with PoS devices, such as raised or broken seals, he said.

Review log data daily. Checking them daily for red flags is a good idea at any time, but even more so during the holidays, Russo said."Though you might not be able to stop a data breach, you can mitigate them if you are watching those logs daily. System and transaction logs can reveal a lot of information about the security of a payment system. It's a pretty common sense kind of thing," he said. The fraud detection systems that online retailers use can sometimes flag legitimate transactions. "It's generally better to manually review suspect and suspended transactions that may be legitimate rather than lose good sales and customers by rejecting them outright," said Avivah Litan, an analyst with Gartner Inc. Assign more staff to perform manual reviews of suspected/suspended transactions.

Implement "hard" firewall policies. Also train or refresh call center and customer service staff on fraud prevention procedures. "Social engineering of call center representatives is a favorite ploy of the fraudsters," she said. Use a white list of known good addresses to preclude the possibility of card and payment data going anywhere outside the enterprise firewall except to your payment processor, Litan said.

0 comments:

Post a Comment