The direct cost of crime
within the UK retail sector rose by 6% during 2017 to stand at £700 million. The majority of this cost is attributed to customer theft and violence but fraud perpetrated against retailers still accounts for £155 million of that total. While this actually represents a 15% fall, year-on-year, the fact that most of this stems from insider fraud or credit card transaction fraud will remain a concern for businesses (as will the 36% increase in the cost of theft by employees) operating in a sector where staff turnover is so high.
The Payment Card Industry Data Security Standard (PCI-DSS)
was introduced in 2006 to improve the security of card payments, protect sensitive cardholder data and reduce card fraud. It was also seen as a way of creating a consistent, worldwide approach to cardholder security in all sectors, such as retail, that handle high card payment volumes. Any organisation that holds, processes or exchanges cardholder information from any of the following - American Express, Discover Financial Services, JCB, Mastercard and Visa - is expected to comply with the Standard.
While much of the Standard relates to technology, systems and data, there is a personnel element to it as well. The Standard requires that background screening
be conducted on any employee who will have access to multiple cardholders’ data or the cardholder data environment. For employees who only have access to a single customer’s card data at a time – such as a shop cashier – background grounds are merely recommended, rather than expected. The Standard does not actually stipulate the individual checks that should be included within this process. It does however recommend a best practice combination of identity, criminal records
, employment references
and credit checks
; all as part of an effort to “minimise the risk of attacks from internal sources”.
As well as considering new hires, a firm’s background screening policy
should also take into account what happens when current employees move into new roles with greater levels of card data access or responsibility. Such instances would require repeat – or even enhanced – checks. In fact, the debate around repeat checks for all existing employees is one worth considering (Post-employment screening
), bearing in mind the high proportion of insider fraud that is committed (across multiple sectors, from retail to financial services) by long-serving employees whose personal circumstances are much changed from the point when they were hired. Fines can be levied against firms which fail to comply with PCI DSS.
However, the potential impact of non-compliance can be felt in many other ways when an otherwise avoidable security incident occurs. Financial losses from fraud, impaired relationships with card payment providers and the cost of forensic investigations can hurt a business significantly. While a business may be able to recover on those fronts, the accompanying reputational damage and loss of public confidence can prove fatal.
Individuals employed by retailers who operate airside within UK airports will also be subject to the stringent vetting required to be issued with airside ID passes.
For more information read our coverage of the Aviation