While waiting in line at a local fast food restaurant recently, I
noticed a sign that you would normally only see in the breakroom or on
an employee bulletin board out of sight from the customers.
It was titled (in the giant-sized headline usually reserved for major
news events) “Credit Card Fraud is a Federal Crime” and went on to
advise the employees of this chain of restaurants that capturing, or
“skimming,” a card number from a customer’s card is a crime, even if you
don’t use the card number to purchase something.
The simple act of skimming the card number with the intent to sell or
give it to a bad guy can result in a 10-year sentence at the federal
level, plus other state laws may also apply.
This notice reminded me that, much like shoplifting, you can’t just
work on protecting your company from outside bad guys. The sorry fact is
that you also need to look inward to make sure you have appropriate
procedures in place for staff.
As with theft of merchandise, the inside job will probably result in a higher loss and go on for a lot longer.
If you have not already done so, you should take a minute and watch
what happens to a credit card transaction within your business and see
if you can determine weak points in the process.
You should be watching for points where card data are left “alone”
with just one person. Does the employee take the consumer’s card (or the
card information in a non face-to-face transaction) and have time to
secretly record this data?
While most transactions in a face-to-face environment occur in front
of the consumer, and in theory the consumer is watching the card during
the transaction, some don’t. These include a drive-through shopping
experience or a sit-down restaurant.
Some businesses offer shopping experiences where there may be a time
that the customer is not near the credit card terminal during the
transaction. If your business model has these types of situations, you
should be even more alert to behaviors of staff members and to calls
from cardholders indicating anomalies with their cards after purchasing
something from your store.
In one recent case, a retailer hired a staff member who was fluent in
a second language to handle calls from customers who did not speak
English. Knowing he was the only employee who spoke the other language,
the employee decided to steal card data only from customers who spoke
that language. He knew that any complaints would be routed through him
for translation, and he could control the situation.
Think of card data as cash. You have systems and procedures in place
to control access to cash, and you should be doing the same thing with
card data!
John Mayleben, CPP, is RPN senior vice president technology and new
product development and a national expert on electronic payment
processing. Contact John at jmayleben@retailers.com.