In retail, carefully applied security measures clearly benefit the bottom line. But retail security and loss prevention also covers a lot of ground.
The list of security threats includes direct theft—from random shoplifters through organized retail crime and dishonest clerks—as well as accidental loss and product diversion. And digital issues are no minor concern either, given high-profile attacks like card skimming and data theft through wireless networks.
Don't be paranoid, just be prepared! Here's a roundup of in-depth security coverage from CSO for large and small retailers alike. You'll find advice from retail leaders on security from point of sale back through the supply chain and everywhere in between.
UPDATED 9/13/2011 (Edited and formatted 8/27/2015)
Point of sale security measures
Card skimming, under-ringing, sleight-of-hand—there's lots to watch for at the cash register.
- Self-checkout systems remain a weak spot
- Video analytics are useful but need improvement
- Consider RFID tags that monitor movement of high-value goods
- Encrypt data all the way from card scanner through backend systems
Cash, cards, inventory and customer data intersect at the point of sale. Here's how to keep your defenses up to date.
MICROS Systems' CISO on allowing remote point-of-sale support without opening customers up to potential breach
- Crooks broke into retail locations and replaced checkout PIN pads with ones that would capture card data for later theft.
Criminals' use of phony checkout devices illustrates the need for coordinated retail defensive measures.
PCI DSS compliance
Retailers (and everyone else) who use credit cards have to play by new rules. This section offers practical coverage of the PCI Data Security Standard and how it applies to your business. How to reduce PCI scope
Expert guidance on saving time and money by carefully scoping PCI validation efforts.
Compensating controls are a standard part of any security posture. But what makes an effective compensating control?
Encryption seems like the simple answer to data security problems. So why is end-to-end encryption not ubiquitous? Implementation challenges abound. Here's how to handle encryption's 'key issues'.
Two PCI QSAs offer compliance strategies for PCI's application security requirements.
The role of wireless networks continues to grow in retail operations. Don't let these networks be a weak spot where criminals can intercept important data.
Retailers who offer their customers wireless connectivity face some risk from programs like the Firefox plugin Firesheep, which identifies users on an open wireless network who are visiting an insecure website.
Whether your wireless is for customers or for back-office use, you should know the basics of keeping unwanted activity off your network.
How to investigate employee theft
Security and investigative tactics for making sure retail employees aren't skimming from the till or making sweetheart deals for their friends.
Field techniques and tests for detecting internal retail theft, including double buys, combination buys, and refund buys. Excerpted from Private Security and the Investigative Process by Charles Nemroth. Nemroth also provides a sample report form to help ensure retail investigations are thorough and well-documented.
- Demonstrating consistent attention to security and to investigation of theft helps discourage insider crimes.
- Conduct occasional field tests involving complicated purchases, and closely document sales prices and cashier behavior.
- Security tests should also note and improve customer service procedures.
Shoplifting, boosting, retail theft
Knowing how thieves operate is half the battle in preventing these types of retail crime.
Investigations leader Brandon Gregg says stores should keep their focus on the floor to beat booster rings.
The 2010 Global Retail Theft Barometer finds theft was down from 2009 rates. But more than a quarter of U.S. retailers were still impacted by crime.
Technologies that offer convenience to shoppers also assist criminals (including employees) with retail theft.
- Common scams include counterfeit coupons, self-checkout fraud, sweetheart deals, building a 'bank', refund fraud
With the economy tanking, security pros see a spike in old-time thievery. And what do people steal in recessionary times? Cash, clothes, cigarettes, copper—pretty much everything.
Organized retail crime (ORC or ORT)
Small, loosely connected gangs illustrate the challenge of stopping organized retail theft.
Key defensive strategies include:
- Diverse hiring in the security department
- Intergroup collaboration like LERPnet
- Surveillance technology
- Partnerships between stores and local law enforcement
Loading dock and supply chain security
Companies struggle to secure the loading dock, that sensitive spot where inventory comes in and goes out. Follow these best practices and sleep better tonight.
Supply chain threats: 5 game-changing forces [Note: full article requires Insider registration.]
Supply chain security is being remade by black swan events, economic blahs, and more. What can a CSO do to keep goods and information flowing?
Case study: Business-focused retail security
Aligning corporate security with corporate priorities makes everyone's fortunes rise. A look behind the counter at Dunkin' Donuts' parent company. [Note: full article requires Insider registration.]
- Integrating point-of-sale and video speeds investigation and collects reliable evidence
- Derive security goals from business goals including mission statement
- Focus metrics on how security activities increase company and business partner profits
Selected older retail security articles. Most of the best practices and security issues discussed remain applicable today.
Cash handling and restaurant loss prevention
Friendly's Restaurants' Ernie Patnode approaches cash management with a lot of common sense, a little technology and, yes, politeness (2006)
Fencing stolen goods
Criminals use online auctions as a place to unload stolen, diverted and counterfeit products. (2005)
Loss prevention experts like Tiffany CSO David McGowan say closer integration among security disciplines will go a long way toward managing the retail industry's myriad risks (2004)
Preventing card-not-present fraud
In the struggle to prevent fraudsters from turning stolen credit cards into cash online, retailers are the country's last, best defense (2006)
Product diversion costs manufacturers millions, but often isn't technically illegal. CSOs say combating diversion involves equal parts investigation and corporate politicking (2005).