Retail security: Critical strategies
Starting a job in retail security? Just double-checking your defenses? Here's a roundup of security strategies for protecting retail inventory, profits and employees.
By Derek Slater
CSO —
In retail, carefully applied security measures clearly benefit the bottom line. But retail security and loss prevention also covers a lot of ground.
The list of security threats includes direct theft—from random shoplifters through organized retail crime and dishonest clerks—as well as accidental loss and product diversion. And digital issues are no minor concern either, given high-profile attacks like card skimming and data theft through wireless networks.
Don't be paranoid, just be prepared! Here's a roundup of in-depth security coverage from CSO for large and small retailers alike. You'll find advice from retail leaders on security from point of sale back through the supply chain and everywhere in between.
UPDATED 9/13/2011
Point of sale security measures
Card skimming, under-ringing, sleight-of-hand—there's lots to watch for at the cash register.Security at the point of sale
Cash, cards, inventory and customer data intersect at the point of sale. Here's how to keep your defenses up to date.
Takeaways: •Self-checkout systems remain a weak spot •Video analytics are useful but need improvement •Consider RFID tags that monitor movement of high-value goods •Encrypt data all the way from card scanner through backend systems.
Case study: Secure remote access for POS vendor
MICROS Systems' CISO on allowing remote point-of-sale support without opening customers up to potential breach
Case study: Converging physical and cyber security at Stop & Shop
Criminals' use of phony checkout devices illustrates the need for coordinated retail defensive measures.
Takeaways: •Crooks broke into retail locations and replaced checkout PIN pads with ones that would capture card data for later theft.
PCI DSS compliance
Retailers (and everyone else) who use credit cards have to play by new rules. This section offers practical coverage of the PCI Data Security Standard and how it applies to your business.How to reduce PCI scope
Expert guidance on saving time and money by carefully scoping PCI validation efforts.
PCI and compensating controls
Compensating controls are a standard part of any security posture. But what makes an effective compensating control?
PCI compliance and end-to-end encryption
Encryption seems like the simple answer to data security problems. So why is end-to-end encryption not ubiquitous? Implementation challenges abound. Here's how to handle encryption's 'key issues'.
PCI and application security requirements
Two PCI QSAs offer compliance strategies for PCI's application security requirements.
Wireless security
The role of wireless networks continues to grow in retail operations. Don't let these networks be a weak spot where criminals can intercept important data.Is it legal to use Firesheep at Starbucks? Retailers who offer their customers wireless connectivity face some risk from programs like the Firefox plugin Firesheep, which identifies users on an open wireless network who are visiting an insecure website.
Wireless security basics
Whether your wireless is for customers or for back-office use, you should know the basics of keeping unwanted activity off your network.
How to investigate employee theft
Security and investigative tactics for making sure retail employees aren't skimming from the till or making sweetheart deals for their friends.Retail theft investigations: Tactics and strategies
Field techniques and tests for detecting internal retail theft, including double buys, combination buys, and refund buys. Excerpted from Private Security and the Investigative Process by Charles Nemroth.
Nemroth also provides a sample report form to help ensure retail investigations are thorough and well-documented.
Takeaways: •Demonstrating consistent attention to security and to investigation of theft helps discourage insider crimes. •Conduct occasional field tests involving complicated purchases, and closely document sales prices and cashier behavior. •Security tests should also note and improve customer service procedures.
Shoplifting, boosting, retail theft
Knowing how thieves operate is half the battle in preventing these types of retail crime.Organized Retail Crime? Forget the hype and focus on basics!
Investigations leader Brandon Gregg says stores should keep their focus on the floor to beat booster rings.
Report: Global retail theft decreases in 2010
The 2010 Global Retail Theft Barometer finds theft was down from 2009 rates. But more than a quarter of U.S. retailers were still impacted by crime.
Technologies that offer convenience to shoppers also assist criminals (including employees) with retail theft.
Takeaways: •Common scams include counterfeit coupons, self-checkout fraud, sweetheart deals, building a 'bank', refund fraud
Recession woes: What people steal
With the economy tanking, security pros see a spike in old-time thievery. And what do people steal in recessionary times? Cash, clothes, cigarettes, copper—pretty much everything.
Organized retail crime (ORC or ORT)
Organized crime and retail theft: Facts and mythsSmall, loosely connected gangs illustrate the challenge of stopping organized retail theft.
Takeaways: Key defensive strategies include •diverse hiring in the security department •intergroup collaboration like LERPnet •surveillance technology •partnerships between stores and local law enforcement
Loading dock and supply chain security
10 steps to loading dock securityCompanies struggle to secure the loading dock, that sensitive spot where inventory comes in and goes out. Follow these best practices and sleep better tonight.
Supply chain threats: 5 game-changing forces
Supply chain security is being remade by black swan events, economic blahs, and more. What can a CSO do to keep goods and information flowing?[Note: full article requires Insider registration.]
Case study: Business-focused retail security
Sweet success: Dunkin' Brands security focuses on making dough
Aligning corporate security with corporate priorities makes everyone's fortunes rise. A look behind the counter at Dunkin' Donuts' parent company. [Note: full article requires Insider registration.]
Takeaways: •Integrating point-of-sale and video speeds investigation and collects reliable evidence •derive security goals from business goals including mission statement •focus metrics on how security activities increase company and business partner profits
See next page for selected older (but still great!) retail security articles.
First-hand advice from leading loss prevention experts on protecting retail inventory, facilities, and employees
Retail security: critical issues
An updated roundup of case studies, sample documents, and other retail security coverage
Point of sale security
Cash, credit, data, inventory—it all flows past the point of sale. Are your systems, policies and procedures up to snuff?
Loss prevention investigative tactics
Sample procedures and field tests for identifying fraudulent transactions, dishonest clerks and other issues
Organized retail theft: Facts and myths
It isn't your father's Cosa Nostra (mostly), but nimble gangs of boosters connect to a loosely organized—and effective—system of distribution
Restaurant loss prevention and cash handling
King Rogers: loss prevention basics
Richard Hollinger: shoplifting and retail shrink
- Introduction to VMware vCenter Site Recovery Manager 5
- Reliable Disaster Protection with VMware vCenter Site Recovery Manager
- Introduction to Virtualization
- Preventing Unplanned Downtime with Server Virtualization
- Secure Cloud Infrastructure and Next-Generation Data Centers - An Interactive Panel for Decision Makers
- Gartner Next Generation Network IPS Webcast
- M86 report proves water is wet
No disrespect toward M86 Security intended. I've used a lot of their research in the past and they are always a pleasure to work with. But the latest report they sent me represents a big problem I'm finding with these documents lately: They tell us nothing new. Therefore, they are not helpful.
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
- SECURITY WISDOM WATCH: Gee Whiz Edition
More Salted Hash with Bill Brenner
