Retail Data Security-Intersection of the Physical and Digital Worlds
Recorded Webinar, October 2015
Sponsored by the ASIS International Economic Crime Council
Speaker: Joe Biffar, CFE, CFI, Manager, Corporate Loss Prevention and Security, Chico’s FAS, Inc.
The speaker begins with the promise to walk through the life cycle of digital fraud, including carding sites, e-commerce fraud, and omni-channel investigations. Reminding the listeners that no company is immune to breaches, he focuses on mitigation efforts and incident responses. He advocates using a holistic approach to developing an enterprise risk plan—to include a risk assessment and penetration testing. The planners should represent cross functional groups, representing the diversity of the retail establishment. Should a breach occur, he recommends cooperating with the U.S Secret Service Electronic Crimes Task Force as early as possible. Additional points:
- Not all breaches are malicious, but all should be investigated.
- Being PCI-DSS compliant does not mean a store’s products or data will not be stolen or hacked.
- Staying on top of fraud alerts is vital. A retailer ignored as many as 60,000 alerts only responded when it was too late.
Shutting Down Retail Theft
Security Management, November 2013
Author: Teresa Anderson, Editor-in-Chief
This article follows a case study centered on Cabela, the retailer of hunting, fishing and outdoor gear with 46 stores in the United States and Canada. Five years ago, Cabela’s asset protection team began using statistics to analyze return rates, shrink, key performance indicators to develop more effective policies and procedures. They looked into the correlation between tagging and shrink, revisited the company’s return policy, and developed risk profiles to designate each store as a high, medium, or low risk. Each risk level is associated with a specific security plan that designates everything from staffing levels to asset protection measures. The department includes an organized retail crime team, which builds interconnections and finds trends and patterns though link analysis. The retailer also created an e-commerce component within the asset protection team to identify and resolve organized e-commerce fraud, again using link analysis. Consider the following results:
- Merchandize protection costs, including the absorption of shrink, decreased by 40 percent.
- The new security plans saved 15 percent to 20 percent on physical security.
- The e-commerce fraud unit shut down a gang that had completed 117 transactions in 90 days, resulting in $100,000 in fraudulent sales.
ASIS International Retail Loss Prevention Council Newsletters
Council Chair Alan Greggo, CPP, CFE
Both newsletters begin with introduction to the Council and an updated round-up of industry-related conferences. What follows are articles by council members on topics of interest to all.
In-store Firearms Carry—Much More than a Belt and Holster. Author Bill Napier discusses the potential ramification of employees carrying loaded firearms while working at a firearm retail store. He underscores the need for the company to set a written policy on why the firearms should be in the store, will it conform to the law, and will armed staff be able to handle a life-threatening situation.
Active Shooters…New Trends and New Solutions. Author Timothy DImoff, CPP points out that since the 1999 Columbine High School shooting, security personnel have acknowledged mistakes and moved forward. One new concept is ALiCE (Alert, Lockdown, inform, Counter, Evacuate). Another change has been the realization that training for first responders must acknowledges who the actual first responders are—the potential victims.
Tips on Preparing for the Holiday Selling Season. Council Chair Alan Greggo, CPP, offers numerous tips for educating staff, especially new hires, about the store’s loss prevention and asset protection policies. Other tips include the following:
- Arrange armored car pickups and extra pickups where large deposits are expected so the cash doesn’t sit in the safe.
- Ensure store associates know how to report a theft according to your company’s policy.
Critical Issues in Retail Loss Prevention & Asset Protection
Seminar Session 3207, September 2014
Speakers: Keith Aubele, CPP, President and CEO, Retail Loss Prevention Group, Inc.
Mark Guadette, CPP, Director of Loss Prevention, Big Y Foods, Inc.
Read Hayes, Research Scientist/Director, University of Florida
Karl Langhorst, CPP, Corporate Director, Loss Prevention, Kroger Company
Steve Lindsey, CPP, Senior Director Global Security, Walmart Stores, Inc.
Kathleen Smith, Vice President of Loss Prevention, The Safeway Companies
Retail Theft, Inc.
Security Management, October 2014
Author: Keith Aubele, CPP, President and CEO, Retail Loss Prevention Group
Organized retail crime (ORC) syndicates are structured and operate just like any other legitimate business operations, writes the author. A typical ORC cell consists of three layers. The boss decides what merchandise to steal and which fence will receive it. Boosters shoplift the merchandise and receive between 20 cents and 25 cents on the dollar. The top boosters see their work as a career position. Fences today have had success in setting up their own brick-and-mortar stores. Retailers large and small have banded together to disrupt this simple crime model through the following initiatives:
- Large retailers have set up teams to educate law enforcement and government officials on how to eradicate ORC by identifying hotspots
- Tools developed to ebb the tide of ORC damage include shopping cart lockdown devices and tools that limit the number of items a shopper can take at one time.
- A retailer dedicated one store detective as the company’s court representative to file, present evidence, and testify at all ORC cases.
Subject Guide on Retail Security and Loss Prevention
ASIS IRC Reference Guide
A comprehensive review of the
Security Management articles, Council Papers, CRISP Reports, Books, recorded Annual Seminar Educational Sessions, and recorded Webinars available through ASIS International that can assist loss prevention professionals in their efforts to disrupt organized crime syndicates and nefarious employees or outsiders intent on stealing merchandise for their own gain. The array of possibilities weave together risk analysis, IT security, and asset protection.
Crime, Security, and Prevention: An Encyclopedic Reference
Edited by Charles Sennewald, CPP and John Christman, CPP
Butterworth Heinemann Elsevier 2008
Reprinted with permission from Elsevier/Butterworth-Heinemann, Copyright © 2008
This section of the larger book focuses on the do's and don'ts of how security professionals should respond to a civil disturbance, which may include a terrorist attack. Among the fifteen positive steps and five mistakes are the following:
- Ensure that both store and operations managers carry a security radio at the first sign of a disturbance, the store command center is staffed at all times by responsible individuals, and use a portable radio to monitor local news.
- Determine in advance whether a store in the immediate area of any riot of civil disturbance will be evacuated, who will order that evacuation (for insurance purposes), and whether lights will remain on or be turned off.
- Establish a safe haven such as an office or dock to shelter customers and employees until order is restored.
- Do not tie up phone lines by communicate directly with other stores. All communication should be restricted to a regional command center or local emergency services.
Retail Security: 150 Things You Should Know
Authors: Louis Tyska, CPP and Lawrence Fennelly, CPP
ASIS International 2002
Part V: Crowd Control Management
This chapter lays out a clear philosophy on crowd control and management in four sections, including the psychology of a crowd, what can go wrong, and self defense practices applicable to security professionals. It also discusses an appropriate security presence, peaceful interaction, the use of reasonable force, and the need to protect assets. During special events in a retail setting, such as a mall, professional relations between security personnel and a client are key. The authors also define security's role in dealing with four types of crowds:
- Acquisitive: Members are motivated by they desire to get something but can be dangerous when individuals panic.
- Expressive: A group gathers to express their concerns or opinions about an issue, but the atmosphere can become emotional, and individuals can become agitated or abusive.
- Spectator: Individuals who gather for a concert, show, or seminar can become agitated by inconsiderate behavior or the abuse of alcohol or drugs.
- Hostile: Strikers, activists, or political demonstrators pose a high potential for violence. The best tactic to defuse the crowd is to remove the hostile leader.