Target data breach to have implications for everyone involved in card payments
Just as we see insurance rates rise on the back oif a huge natural disaster such as bushfires or floods, retailers and other businesses receiving payments online or over the counter by card will be forced to shoulder some of the costs associated with the extraordinary data breach reported by US retail giant Target.
While there is talk about fines and other costs for target and its partners, a knock-on effect for even retailers in Australia is something we should anticipate as card issuers, consumers and, yes, retailers, seek a more secure card processing environment. In saying this, I am well aware of the difference between the card processing platform in Australia and the US. That does not mean regulators and or card issues won’t use this extraordinary data breach to increase security. I am certain retails will bear some costs associated with this either in infrastructure changes or an increase in fees we pay.
Given that authorities are saying the Target breach is part of a broader attack, there are bound to be worldwide implications. This will be a cost of being part of a connected always-on world, a cost that will continue to rise.
My concern is that small business retailers will end up paying a higher price as a percentage of turnover than companies like Target that are, in my view, more vulnerable to attack.
Forbes has published an article documenting the timeline of the breach which is good reading. The Chicago Tribune has a good backgrounder on the breach.
Newsagency armed robberies a security reminder
The robberies of Victorian newsagencies going back months and now recently being reported is a reminder to newsagents to review physical property security, review security procedures including money transfer, remind employees of best practice for handling a situation like this, checking insurance and ensuring you have some form of camera system to capture any incident.
Victoria Police has a useful security kit available from their website.
Beware: Ukash fraud could hurt your newsagency
I received this report from someone in the insurance business Friday about a Ukash related scam perpetrated on a Australian business:
A shop employee took a call from a man stating he was a technical manager from our phone Epay and UKASH voucher provider stating they will be upgrading our system the next day at 1pm and will this be convenient please confer with the store owner , the person had store owners names which made it more convincing.
The employee was very busy at the time preparing the shop for closure so did not immediately contact the owners. Some ten minutes later this person called back stating they required some vouchers to be printed off in preparation for the upgrade and gave a reference number and asked for nine vouchers of various amounts totalling $1,800 to the printed off and quote the reference number provided earlier.
In the process of doing so the employee became concerned and went to their mobile to call the owner as the caller had tied up the shop phone line. Once owner was informed he immediately went to the store to discover the vouchers had already been cashed even though the caller was still holding on the shop line.
All staff were aware that they are not to sell vouchers over the phone but this person convinced the employee that things were in order stating both owner and managers names along with other technical references.
Fortunately we were able to settle the claim but we believe this is a timely warning to take extreme care.
Please warn all your staff about this. Not all insurance policies would cover the newsagent.
Another breach of shopper trust
US retailer Neiman Marcus announced Friday that its IT systems had been hacked and some customer credit card information compromised. That’s nice corporate-speak.
On Friday also US retailer Target said the credit card details of 70 million shoppers had been affected by their credit card data breach – up from 40 million announced previously.
As a retailer you have an obligation to protect your customer information. They give you credit card and other information in a relationship of trust. Newsagents who store credit card details in their newsagency software ought to review their security.
Footnote: newsagents using Tyro need not worry since the credit card details are not shares between Tyro and their newsagency software.
Sunday newsagency management tip: reconcile your bank account regularly
A newsagent recently told me that they reconcile their accounts with their bank account every six months when their accountant does their books. This is crazy. My recommendation is that you reconcile your bank account at least weekly and preferably daily if you bank daily.
By reconcile – and as someone without any accounting training – I mean reconciling all income as recorded in your computer system to your bank statement and your computer accounting records. This work should be done by you or someone you trust but who does not have control of the cash in your business. It does not need to be done by your accountant – despite what they may say.
A newsagent discovered employee theft earlier this year that had gone undetected for several months because they did not regularly reconcile their bank account to daily takings records.
Employee theft easier in stand-alone EFTPOS situation
I’ve seen evidence this week of employee fraud against a retailer where the EFTPOS terminal is not connected to the POS software used by the business. The employee recorded the sale in one was on the software and differently through the EFTPOS terminal. Poor back office management of the business meant that the behaviour went un-checked for some time.
I encourage newsagents using EFTPOS to only use it in an integrated way. You cut keystrokes, streamline sales processing and reduce the opportunity for employee fraud.
Tampering with security is a reason for termination
I terminated the employment of someone this week because they deliberately disconnected the security camera located directly above a sales register. Their explanation was that the camera had been faulty and they were trying to fix it. The video evidence shows the camera working days prior to them reaching up and behind the camera and removing the cable that connects it to the recording device.
The wanted the camera off and the only reason could be one that compromises the business.
When it comes to business security we need to take a zero tolerance approach. Yes there are labour laws to respect. When it comes to casual employees we have some more flexibility.
Can you deduct money from employees for end of shift cash shortages?
A newsagent asked me yesterday if they could deduct end of shift cash shortages from employee pay? I advised I’d never done it but didn’t know the law.
searching online I found an excellent website, Workplaceinfo, with this advice:
6. Cash shortages
Another common problem is cash shortages by employees whose duties include the handling money.
Generally, the employee cannot be held responsible for the repayment of any shortages which may occur unless the employee has sole access to the money.
An award or agreement may make provision for recovery of any shortages, however, a proper investigation would still need to be conducted by the employer to determine the guilt or innocence of the employee.
The absence of such a provision does not affect the employer’s right to take such disciplinary or legal action as the employer considers necessary.
So it comes down to what you have agreed with your employees. It starts with what is in the contract, what is in any applicable award and the rules of the business. Plus it relies on the evidence you have and the process you go through to determine who is at fault.
The key is to have a structured end of shift process that leaves little to chance and everything to documentation. The more you use a consistent system or process for managing money and data in your business the easier it is to handle cash shortages. Sloppy processes lead to mistakes and undesired costs.
For more reference, check out the University of Southern Queensland’s policy on cash floats.
Showing off shoplifters to cut retail theft
I think I like the photos of shoplifters on show in the front window of a store I saw a couple of days ago. I say think because I’m not 100% sure. The number of photos suggests that this shop is a haven for shoplifters. It also says it watches videos and will not hold back in publishing photos of people exposed as stealing. I think the better approach is to promote the images online where more can see them.
Sunday newsagency management tip: use your newsagency software to help cut theft
Further to my post a week ago about detecting theft, here is advice on reducing theft using your newsagency software.
Used properly, good Newsagency software can significantly cut the cost of theft.
Theft reduction is achieved through consistent use of the software throughout the business. The less consistent a business the less likely they are to uncover theft. Those most likely to steal will notice how the software is used and through this reach a conclusion as to the likelihood they will be caught.
Tracking stock from when it enters a business to when it leaves is the key to detecting and reducing theft by employees and customers. Too often, small and independent retailers do not fully track and manage stock – making them appealing businesses for people likely to steal.
Here are the steps involved in tracking stock and reducing the cost of theft:
- Enter all incoming stock into your POS software. Include the quantity received to ensure that the current quantity on hand is accurate.
- Write off stock that is thrown away.
- Scan-out all stock that is returned to the supplier for any reason. Good software will have
- Sell items by scanning the barcode. Too often items are sold using department keys and therefore not tracking each specific item sold.
- Reorder stock by producing a reorder report using your software. This can usually be done by using a desired quantity on hand as the guide for the software to reorder to. Note: this process alone will highlight stock on-hand discrepancies.
- Undertake a spot stock-take: count the quantity on hand of an item and enter that into your POS software and compare this against what the software thinks should be on-hand. A discrepancy can indicate theft.
Once all stock is setup in your software, the time taken for spot stock-takes is minimal. This time is funded from the reduced theft that will certainly result.
Employees who see you track stock movement through spot stock-takes and other activities listed here will be deterred from stealing from the business as they will see the risk of being caught is higher.
Manage your business professionally and consistently and theft will cost less.
How a lady buying flowers for her church helped a newsagent discover expensive employee theft
A lady bought flowers for her church from a nearby newsagency and had to return to the shop when she discovered the receipt showed she’d bought lottery tickets and not flowers. She needed a correct receipt for reimbursement.
On checking, the newsagent could not find the sale of flowers in the computer system for that amount. What was even more surprising was that they could not find a sale of lottery tickets at the time on the Point of Sale software receipt for the same amount.
Unable to reconcile the data, the newsagent called in the employee on the counter at they time asking why they could not find the lottery sale on the lottery terminal or the flower sale on the POS system. The employee advised that the lottery sale did not exist.
This employee, it turns out, would ask customers if they wanted a receipt before processing the sale and if the answer was no and the sale value was high, $20 or more, they would ring the sale up as lottery products. The employee kept a tally o their iPhone. Then, later in the day, they would buy lottery tickets to the value they had accrued in the POS software. The register would balance and they theft was not caught because the newsagent was not reconciling stock on hand.
The lady from the church had said no to a receipt. On realising she needed one to claim the cost of the flowers she returned to the shop and asked for one. This is how she ended up with a receipt for a lottery purchase equal to the value of the flowers she bought.
The employee admitted theft and was sacked. The police were called. The newsagent stopped looking for evidence after going through several months of data and getting to a theft value of $70,000.
Had this newsagent been controlling their stock and checking discrepancies they would have found the theft sooner and saved tens of thousands of dollars.
This story illustrates the potential cost of poor stock management.
How not stock-taking cigarettes cost a newsagency $50,000
A newsagency I spoke with recently discovered an employee theft problem including cartons of cigarettes among other things. They were not stock-taking cigarettes as they thought it was too hard to get it right. It turns out the challenge was the employee who was stealing and hurting the quality of their data.
The newsagent chose to blame their system and or process and gave up when if=n fact the discrepancies should have been taken as an alarm that they were being stolen from.
There is no excuse to stock-taking cigarettes. If you’re not doing it you’re missing the opportunity for early detection of theft and you are missing the opportunity for more accurate ordering of stock.
What frustrates me is that I encounter there every month or so – a newsagent uncovering long-term theft that includes cigarettes and that they are not using stock control for cigarettes. These newsagents have themselves to blame.
Newsagency theft story timely
Newsagents ought to read the story from The Sydney Morning Herald yesterday about the newsagency employee caught stealing more than $400 a day.
While it’s good to read about a conviction my work with newsagents tells me that only a fraction of theft in newsagencies is detected. here’s a reminder of what I wrote on employee theft last year:
Management tip: How to reduce employee theft in your newsagency
Retailers too often struggle with cutting the cost of employee and customer theft. They ignore opportunities to block theft and turn their backs on understanding the cost in their business.Here is best practice advice which, if followed, will reduce the cost of theft in any retail business.
- Establish a theft policy and stick to it. See below.
- Check references of prospective employees.
- Ask candidates if they would agree to a background check.
- Only sell what you arrive, bring into the store, through Point of Sale software. If you track it you can know if it has been stolen or not. If you do not track it who knows if it is stolen. [Most often businesses I work with to resolve theft issues would have found it sooner had they been doing this.]
- Track ALL sales – by scanning, touch screen button or PLU (product look up code), a hot key on your computer screen.
- Stop all department sales, sales where the employee gets to enter the amount of the item.
- Scan out ALL returns, products which are returned to suppliers.
- Undertake regular spot stock take throughout the business. The discrepancy between what you have and what the system has reflects theft.
- Reorder stock using your retail management software. This stops poor buying decisions. It also identified stock theft and employee fraud around stock.
- Use employee initials, codes or bar codes against each sale. Yes, this adds time to each sale. The benefits far outweigh the time cost.
- Set an end of shift balance target of $5.00. Many retailers achieve this – it takes discipline.
- Change your system passwords regularly. Make it a condition of employment that these passwords are never shared.
- Do random, during the day, register balance checks. Check that the cash your computer system thinks should be in the cash drawer is what is actually in the cash drawer.
- Use your software to check and report on behavior which could indicate employee theft.
- Follow your suspicions regardless. Put your business ahead of friendships..
The cost to any retail business of customer and employee theft can be significantly reduced. The keys are retail owner and management engagement, full use of the software and relentless application of a zero tolerance approach.
Here is a suggested THEFT POLICY for employees to read and sign.
- Theft, any theft, is a crime against this business, its owners, employees and others who rely on us for their income.
- If you discover any evidence or have any suspicion of theft, please report it to the business owner or most senior manager possible immediately. Doing so could save a considerable cost to the business.
- We have a zero tolerance policy on theft. All claims will be reported to law enforcement authorities for their investigation.
- From time to time we have the business under discrete surveillance in an effort to reduce theft. This may mean that you are photographed or recorded in some other way. By working here you accept this as a condition of employment.
- New employees are to provide permission for a police check prior to commencement of employment.
- Cash is never to be left unattended outside the cash drawer or a safe within the business.
- Credit and banking card payments are not to be accepted unless the physical card is presented and all required processes are followed for processing these.
- Employees caught stealing with irrefutable evidence face immediate dismissal to the extent permitted by local labour laws.
- Employees are not permitted to remove inventory from the store without permission.
- Employees are not permitted to provide a refund to a customer without appropriate management permission.
- Employees are not permitted to complete their own sales.
- Every dollar stolen from the business by customers and or employees can cost us up to four dollars to recover. This is why vigilance on theft is mission critical for our retail store.
Take theft seriously.
Sunday newsagency management tip: establish a theft policy for your business
One way to demonstrate how serious you are about reducing the impact of employee theft on your newsagency is to create a theft policy and to publicise this with your team members.
Being open about theft, especially employee theft demonstrates it’s on your mind. While I am no psychologist, his could be enough to stop people who think they can get away with it. Remember, people steal because they think they can get away with it.
My experience is that newsagents tend to not manage to reduce theft. This makes our channel attracting to some. Theft reduction starts with decisions by the owners of the business.
Click here to download a copy of one theft policy I have used in the past.
Do you check shopper bags in your newsagency?
Security people at one of the shopping malls where I have a newsagency returned around $65.00 worth of products stolen from us a couple of days ago. A team of a young girl, a lady in a wheelchair and another lady bought an item, distracted us and lifted a bunch of other product. Watching their action back on our security system was instructive as it showed where we were weak.
The only way we could combat them would be to introduce a greeter / security role responsible for bag checking. So that’s a question I have for this morning:
Do you check shopper bags?
I recall a newsagent in Hobart brought in a security officer for twenty or so hours a week and was able to fund the cost of security out of theft savings. I don’t want to go that far but I am curious what others do.
Small regular employee theft can be hard to track
I’ve been helping a business recently where an employee was stealing between $10 and $30 a day. They were stealing by not recording services the business charged for, services which were not reconciled in the business – thereby making uncovering the theft difficult.
It was only when the employee was not in the business for a time that it was noticed.
It’s important that you have processes to track everything, that all revenue, including for services, is reconciled.
This low-level theft, lunch money theft I’d call it, is as disgusting as employees who steal tens of thousands of dollars. The emotional cost is as high and the impact on the business can sometimes be almost as great.
Here’s a way to reduce shopper theft
Check out the way a drug store (pharmacy) in New York lets shoppers know they are being filmed. I like the text they run under the screen.
I’ve been a fan of screens like this in-store for ages but have not used text to provide context. Seeing it as I did some months back – the text makes sense. Providing safety and savings … video recording in progress. I bet they have this because the text coupled with the screen achieves more than the screen by itself.
I’d forgotten I had the photo and now I’ve found it again I’m placing text like this for under our in-store security screens.
Newsagents who have a security system but no screen in-store – I’d urge you to place a screes so customers can see you are filming them. The more people feel they are likely to be caught the less likely they are to try and steal from you.
Click on the image for a larger version to see the text.
Theft check service helps newsagents
My newsagency software company, Tower Systems, has emailed its customers reminding them of a free theft check service. It’s this service that has helped uncover hundreds of thousands of dollars in employee theft in the last six months. The processes followed result in evidence that is police, court and insurance company ready.
Newsagents tend to not want to check on employee theft because they are worried about what they will find. Ignorance is bliss I guess. It’s not when theft is discovered – often after the cost to the business is almost unbearable.
Here’s the reminder sent to newsagents this week:
We consider ourselves experts at helping our customers eliminate employee theft within their businesses. Employee theft can cripple a business and is often perpetrated by those you least suspect. We have found numerous instances of employee theft costing the businesses involved tens of thousands of dollars to hundreds of thousands of dollars.
With our assistance, businesses have been able to prevent further theft and, in certain cases, recover some of the money lost. We will gather evidence from your data and provide you with facts you can use.
Theft checks are available at no cost to supported users. They provide piece of mind.
We understand the importance of discretion in matters like these and will do our utmost to protect you data and deliver information to the relevant parties.
All newsagents should speak with their software company about what they can do to help uncover employee theft and act on this.
The cost of staff vs the cost of customer theft
Newsagents need to approach their roster with care since labour can account for between 30% and 50% of all gross profit earned in the business. Too often I see newsagents staff for comfort and out of fear of shopper theft and thereby cost the business more than if shopper theft had occured.
It’s a calculation you need to make on your situation. I’d say saving money off the roster will deliver a more beneficial outcome than paying more in labour and reducing theft – if your shop layout is good and if you have good theft management and mitigation processes in place.
This is on my mind today as I have been in a couple of newsagencies where the roster carried extra hours because of fear of theft. The roster cost several hundred dollars a week more than necessary in my view.
The other note I’d make is that the more employees the greater the risk of employee theft.
Change your password now!
One newsagent this morning has discovered they are tens of thousands of dollars worse off because they did not change their business password. An employee used the password to manipulate data and hide the theft of cash. The newsagent’s distress is amplified by the realisation that basic steps to protect the business against such action were ignored.
Passwords exist to protect you and your business. Treat them with respect.
Trusting shoppers on theft pays off
Four weeks on, the display on the lease line with three large Beanie Ball plush items and our interactive dog has experienced NO theft. Despite being far away from the counter and quite easy to steal from, our property has been respected.
We’re surprised … we expected to lose one or two and were prepared to take the risk.
I am glad we did not give into fear of theft and not display these items in this best location. Had we given into fear of theft we might not have achieved sales of close to $3,000 of these two items alone.
Magazine theft problem in Brisbane?
Further to my reports here recently about a magazine theft problem experienced by some newsagents, I have been contacted by a newsagent with a report that some sub agents only want them to supply weeklies, saying that is all they need. Checking in these shops sows a range of monthlies on display – being sourced outside the traditional sub agent relationship.
The question is where these magazines are coming from? If they are being sourced through a newsagent the margin would most likely be the same. It begs the speculation that the monthlies are stolen magazine stock. The sub agents when asked are vague in their answers.
This situation demonstrates that there is leakage somewhere in the supply of monthly magazines in Brisbane.
Tyro offers newsagents a more secure solution
A story from BankingDay, a banking industry publication, highlights the importance of security and helps underscore the value of the tyro broadband EFTPOS solution for newsagents.
Tyro has have created a technically better and more secure solution that protects the merchant (the newsagent) from the sort of compromises that out of date banking technology all too often can expose them (you) to. Tyro security is validated with an independently assessed PCI-PA DSS certification. this is important.
Here is the start of the BankingDay story:
Romanian scam forced thousands to fix systems 07 December 2012 7:00amThe alleged A$30 million Romanian credit card scam caused possibly the largest remediation effort ever undertaken within the Australian consumer payments system in the 18 months before last week’s arrest of the scammers.
Only 46 stores were confirmed to have been hacked in the scam last week, at a cost estimated at $30 million.
But industry sources have told Banking Day that thousands of merchants were required to have their systems “remediated” in the months after the scam came to light in June 2011, to fix their vulnerability. The remediations needed included changes to software, hardware and network configurations needed to prevent access to customer data.
Many of the stores affected were franchisees of Metcash’s IGA grocery chain, sources confirmed. A spate of mid-2011 media reports described unsolved fraud outbreaks centred on IGA stores from as far afield as the Melbourne suburb of Warrandyte to regional Victorian towns like Horsham and Castlemaine and NSW regional towns such as Orange and Junee.
The victims of the Warrandyte fraud wave, which was centred on the Warrandyte SUPA IGA store, reportedly included two police officers.
At publication time, it remains unclear whether sanctions will be applied to anyone in the chain of parties that allowed the system vulnerabilities to be created and to continue for several years.
The scam was enabled by poor store decisions about hardware, software and IT service providers that may have been influenced both by franchisors such as IGA and by the acquiring banks. A Mastercard spokesperson told Banking Day that the acquiring banks were responsible for ensuring that their merchants complied with the industry data security standard, PCI DSS.
Read the rest of the story here.
This is important because not all EFTPOS solutions are equal when it comes to security.
Newsagents wanting to know more about EFTPOS security and Tyro should speak with Chris Ball on 02 8907 1748. Tyro works with a range of newsagency software systems.