Kroll Fraud Solutions Blog – A Dialogue on Data Security

Both the House and Senate have passed the “Red Flag Program Clarification Act of 2010” (S. 3987), which would amend the Fair Credit Reporting Act’s “Red Flags Rule” to clarify which organizations or “creditors” are required to institute an identity theft prevention program. The bill awaits the President’s signature, and will most likely put an end to the speculation as to which types of service providers will be expected to comply with the Red Flags Rule.

Even as retailers are still in the thick of the holiday shopping season (see last week’s tips series), it may not be too early to start thinking ahead, as 2011 could bring significant change, for banks, retailers, and consumers alike. Earlier this year, Wal-mart announced that it was converting its POS devices to take chip and PIN technology for payment transactions, a move that has caused much speculation as to how important this new technology will be in the US next year. Given the reluctance that US financial institutions have shown in past years to make what’s perceived as a costly transition, many have asked the question: will this be the impetus the US needs to make the leap?

Tip #4: Provide adequate privacy considerations for your customer incentive and online marketing programs

During this season, half the battle for retailers is simply gaining the customer’s attention. The most recent trend is the use of social networking and mobile phone apps to offer incentives, coupons, and general information to consumers – and, of course, to collect data. This is a wonderful opportunity, but it also leaves you with a lot of data to protect, and protect it you should. One of the driving costs of data breaches is the loss of business that comes as a result. According to Ponemon Institute reports, the abnormal customer churn (or turnover) rate resulting directly from a data breach is slightly higher than last year — up from 3.6 to 3.7 percent in 2010.

Tip #3: Monitor your Point-of-Sale Equipment Closely

Earlier this year, we included a blog entry about the increasing trend of Point of Service attacks, particularly those where the entire POS device is removed and replaced with one that records all transactions, including PINs. While some of this is, no doubt, insider activity, it should be pointed out that many retailers that have experienced this type of data breach insist that their employees had nothing to do with it. Many security experts suggest that the thieves may actually employ social engineering tactics to trick employees into giving them access to the devices – for instance, posing as a repairman.

Tip #2: Train all of Your Employees to Properly Handle Sensitive Information

When your employees deal directly with customers, they encounter a myriad of potential security risks that other industries do not . Earlier this year, we discussed a customer service mistake that could have had major implications for the customer and the store.

Retailers should provide regular security training to employees in proper handling, storage and disposal of sensitive personal information and host additional training sessions prior to major shopping seasons (e.g., 2010 holiday shopping season) as a refresher. Be sure to include all temporary employees in these sessions, as well. In the training sessions, provide information that helps employees stay up-to-date on the latest scams as well as techniques for detecting fraud.