Retail & PCI-DSS

The direct cost of crime within the UK retail sector rose by 6% during 2017 to stand at £700 million. The majority of this cost is attributed to customer theft and violence but fraud perpetrated against retailers still accounts for £155 million of that total. While this actually represents a 15% fall, year-on-year, the fact that most of this stems from insider fraud or credit card transaction fraud will remain a concern for businesses (as will the 36% increase in the cost of theft by employees) operating in a sector where staff turnover is so high.  

The Payment Card Industry Data Security Standard (PCI-DSS) was introduced in 2006 to improve the security of card payments, protect sensitive cardholder data and reduce card fraud. It was also seen as a way of creating a consistent, worldwide approach to cardholder security in all sectors, such as retail, that handle high card payment volumes.  Any organisation that holds, processes or exchanges cardholder information from any of the following - American Express, Discover Financial Services, JCB, Mastercard and Visa - is expected to comply with the Standard. 

While much of the Standard relates to technology, systems and data, there is a personnel element to it as well. The Standard requires that background screening be conducted on any employee who will have access to multiple cardholders’ data or the cardholder data environment. For employees who only have access to a single customer’s card data at a time – such as a shop cashier – background grounds are merely recommended, rather than expected.  The Standard does not actually stipulate the individual checks that should be included within this process. It does however recommend a best practice combination of identity, criminal records, employment references and credit checks; all as part of an effort to “minimise the risk of attacks from internal sources”.

As well as considering new hires, a firm’s background screening policy should also take into account what happens when current employees move into new roles with greater levels of card data access or responsibility. Such instances would require repeat – or even enhanced – checks.  In fact, the debate around repeat checks for all existing employees is one worth considering, bearing in mind the high proportion of insider fraud that is committed (across multiple sectors, from retail to financial services) by long-serving employees whose personal circumstances are much changed from the point when they were hired.  Fines can be levied against firms which fail to comply with PCI DSS.

However, the potential impact of non-compliance can be felt in many other ways when an otherwise avoidable security incident occurs. Financial losses from fraud, impaired relationships with card payment providers and the cost of forensic investigations can hurt a business significantly. While a business may be able to recover on those fronts, the accompanying reputational damage and loss of public confidence can prove fatal.

Individuals employed by retailers who operate airside within UK airports will also be subject to the stringent vetting required to be issued with airside ID passes. For more information visit our Aviation page.
 

Checks that employers may want to consider running in this sector


Right to Work:We’ll ensure that a candidate’s documentation meets the current Home Office requirements. We can also repeat checks as and when needed for individuals who have a limited entitlement to remain in the UK.

Identity checks: To prevent employers falling victim to identity fraud, we can undertake electronic verification checks on identity documents provided by a candidate. Alternatively, we can provide online identity checks, using biographical data.

Criminal record checks: We’ll undertake the appropriate level of UK criminal record checks, subject to strict eligibility guidelines. We’re also able to obtain overseas criminal records for candidates with an international background.
 
Employment history: We can verify a candidate’s work history and references for the past three years, including checks on the existence and authenticity of all listed employers. Using our CV comparison service, we can also check for any discrepancies between the CV used to secure an interview and the subsequent findings of the full background check.
 
Credit checks: We’ll establish a candidate’s identity, address history and financial status via credit referencing agency records. The search will reveal details of financial probity and information including County Court Judgements, bankruptcies and voluntary arrangements within the last six years. This search will be recorded on the candidate’s file but will not be visible to other parties and will not affect the candidate’s credit score. 
 
Professional and academic qualifications: Where applicable, we can check the validity of someone’s professional accreditations or registrations while also checking that their academic qualifications are genuine. For all professional and academic qualifications, we’ll always check at source with the awarding body.
 
International fraud and sanctions watchlists: We’ll check to see whether a candidate’s name appears on any of the hundreds of publicly available watchlists worldwide, relating to anything from terrorism and fraud through to being a barred or politically exposed person.
 
Social media checks: An increasingly popular – and relevant – check for employers keen to understand whether someone’s social media activity could damage their brand, reputation or client relationships. As well as highlighting illegal activity and undesirable characteristics, such checks can also play a part in authenticating a candidate’s employment history.
 
Driving licence checks: We’ll check that the candidate does indeed have a valid driving licence. We’ll also check for any endorsements or disqualifications currently on their licence.

 

Clients in this industry include: