Remember ... SALES + LOSS PREVENTION = GOOD BUSINESS

Credit and Debit Card Fraud A r t i c l e c o n t r i b u t e d b y B i l l C a f f e r t y ,

R e t a i l L o s s P r e v e n t i o n C o n s u l t a n t

JUNE 2011LP CornerA monthly publication brought to you by the Retail Loss Prevention department. Providing

Ace Hardware retailers with professional, cost-effective loss prevention services since 1994.

The vast majority of retail sales transactions are now being paid for with either a credit or debit

card. The use of paper checks has become passé, and only a relatively small percentage of

customers routinely use cash anymore; normally only those who either can't qualify for a credit

or debit card or who have a predisposition not to use them. A survey published by the National

Retail Federation earlier this year¹ reported that nearly 42% of all 2010 holiday season purchases

were with a debit card, with another 28% by credit card, meaning that 70% of all purchases were

paid for with “plastic.” Of the remaining 30% of sales, 26% were paid for with cash and 4% by

check. What does all of this mean to you as a retailer?

• First, it is important you know those who make a living stealing from others constantly

adapt to the ever-changing methods of payment. The fraudulent credit and debit card business is

booming today, and identity theft involving credit and debit cards remains on the rise (over

250,000 complaints of identity theft were received by the Federal Trade Commission in 2010).

• Secondly, there have been a number of innovative steps taken by issuers of credit and debit cards

to better protect card holders. It is important that you and your cashiers stay current and

know/understand those enhancements as they occur.

• Thirdly, there have been changes in policies regarding the processing of payments made with these cards that place requirements on

retailers which must be followed, and can be very costly to the retailer if not followed.

The credit and debit card industry has beefed up its internal security protocols; developed elaborate software designed to instantly

alert them to unusual use and suspected abuse of cards; and is continually working on the development of more technologically

sophisticated card features to make it more difficult for fraudsters to create and use bogus cards.

Payment Card Industry Data Security Standards (PCI DSS) have placed strict requirements on retailers to protect the privacy

of credit and debit card holders and reduce the opportunity for theft and misuse of card numbers. One PCI DSS requirement is

a mandatory self-assessment by retailers to assess their level of compliance with the program. The other requirement is to have

a quarterly network IP scan conducted. Ace Hardware's guidance regarding PCI DSS can be found on ACENET/ACEONLINE. All

PCI-related questions should be directed to Cathy Nelson, Ace PCI Administrator, 630-990-2814, pcidss@acehardware.com.

The Federal Trade Commission's (FTC) RED FLAGS RULE places a requirement on certain businesses to implement

a written Identity Theft Prevention Program that is designed to detect the warning signs–or “red flags”–of identity theft in

their day-to-day operations. Businesses that provide in-house consumer accounts designed to permit multiple payments or

transactions–or any other account for which there is a reasonably foreseeable risk of identity theft are subject to this law.

Please go to http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml for detailed information on your responsibilities,

if any, under this federal law.

31_114722_0611

1

Announcements &Upcoming Events

Training:

• Join RLP at the DenverConvention for a full-dayowner/manager workshop!

• New Ace LearningPlaceTraining Available° 14 — NRHA Loss Prevention:

External Theft Prevention for Managers

° 13 — NRHA Loss Prevention: Store Safety for Managers

• FREE Webinars° Retail Theft Scams

° Shoplifting Awareness

CONTACT US FORMORE INFORMATION:Phone: (630) 972-2670www.acelossprevention.com

114722_June_LPCrnr:114722_June_LPCrnr 6/2/11 12:52 PM Page 1

Want to receive a copy of LP Corner every month directly at your email address? Send us a request at info@acelossprevention.com with your email address, store number, and any specific topic

requests for future publications.

Remember ... SALES + LOSS PREVENTION = GOOD BUSINESS2

The FTC has many pamphlets and online educational materials for businesses that provide a wealth of guidance and

recommendations. One of the more popular and comprehensive online pamphlets, entitled “Protecting Personal

Information–A Guide for Business” can be found at http://www.ftc.gov/bcp/edu/microsites/infosecurity/.

_______________________________________________________________________________

¹ National Retail Federation Survey conducted by BIGresearch, Nov. 3-9, 2001, 8778 respondents.

Following are basic actions that Ace retailers should take in order to limit the potential for a data breach.

• Install and maintain a firewall configuration to protect cardholder data.

• Do not use vendor-supplied defaults for system passwords and other security parameters.

• Protect store cardholder data.

• Encrypt transmission of cardholder data across open, public networks.

• Use and regularly update anti-virus software.

• Develop and maintain secure systems and applications.

• Restrict access to cardholder data by business need-to-know.

• Assign a unique ID to each person with computer access.

• Restrict physical access to cardholder data.

• Track and monitor all access to network resources and cardholder data.

• Regularly test security systems and processes.

• Maintain a policy that addresses information security.

• Conduct pre-employment criminal history checks on all new hires whose duties will give them access to customers' credit and debit cards and other personal information.

• If it is absolutely necessary to maintain hard copy records of any personal customer information, it MUST

be secured in lockable containers and the keys to those containers MUST be strictly controlled.

Credit and Debit Card Fraud CONT.

Protecting data, whether it be customer credit and debit card data, or other personal data of customers ANDassociates, is a critical responsibility of all employers. The consequences of not providing adequate protection can be extremely costly to an employer. A service offered by Retail Loss Prevention through its preferred vendor-partner Risk Management Services Loss Prevention (RMSLP), is an on-site survey program that reviewsand audits vital internal control processes. Please call us at 630-972-2670 or email info@acelossprevention.comto learn more about this program. Visit us on the web at www.acelossprevention.com.

114722_June_LPCrnr:114722_June_LPCrnr 6/2/11 12:52 PM Page 2