Stay Smart on Protecting Against Card Fraud
By Bob Russo, general manager, PCI Security Standards Council
With the latest attacks at big name retailers, the pressure is on for businesses of all sizes to demonstrate that they’re doing whatever it takes to keep their customers’ confidential information safe and out of the hands of the bad guys. But with headlines changing every day on what actually happened and how, many retailers are unsure of where to begin making changes.
In light of these challenges, the PCI Security Standards Council has put together a quick list of 10 simple steps any business can take to help you get started reviewing your current status, putting in place a defense-in-depth strategy, and decreasing the probability of a data breach.
1. Educate. Employees should be trained annually on both online and physical security threats, as well as on the best practices for protecting cardholder data. If you are not familiar with these practices and what new and existing employees should be trained on, check with your acquiring bank or payment service provider to see what training they provide.
2. Update. Your employee manuals should be updated regularly with information on the proper handling of sensitive information, including payment card data and any sensitive customer data you may regularly work with.
3. Screen. Pre-employment screening is a basic and essential practice for any business owner, especially for those employees who have access to sensitive customer or financial data. Believe it or not, according to the 2013 Verizon Business Data Breach Investigations Report (DBIR), nearly 15% of data breaches were the result of a company insider.
4. Protect. The 2013 Trustwave Global Security Report (GSR) notes that almost all POS breaches they investigated last year involved malware. The first step to countering this is to ensure that your business has network and web application firewalls, anti-virus, malware and spyware detection software, and that these are updated frequently.
5. Be Aware. Pay attention to fraud prevention alerts from law enforcement agencies, payment card companies and virus and malware services. Familiarity with the latest security issues can help you anticipate and take action rapidly when circumstances arise. A quick response can make the difference between a minor incident and a major data breach that costs your company millions of dollars and tarnishes your brand.
6. Control. Tightly control your organization’s downloads, software installations, use of thumb drives and public Wi-Fi connections on computers used for payment card processing or handling of other sensitive information.
7. Separate. Designate a separate computer for processing of all your online financial transactions. Try to keep this computer separate from social media sites, email and general web browsing. A large number of compromises stem from computer systems infected through seemingly routine web surfing.
8. Change. Change your passwords regularly, especially after you have outside contractors do hardware, software or POS system installations or upgrades. The Trustwave GSR lists weak and/or default credentials as the third most common method of entry for an attacker. Make sure that you change default passwords, using complex passwords to make them more difficult to guess (include lower and upper case letters, numbers and special characters) and that you use different passwords for all of your systems and accounts.
9. Backup. Make sure you regularly back up your computers and the key data you want to protect, whether it’s to a local machine or to an offsite facility, so your business can be up and running again quickly in the unfortunate event of an attack.
10. Learn. Talk to peers, get involved in industry security groups and find resources that will help you as you continue your security journey. Visit the PCI Security Standards Council website for information on the PCI data security standards as well as ongoing education and training programs available to your organization.
Remember, there is no silver bullet to proper data security. Many new technologies promise greater protections, including EMV chip, tokenization and encryption. But technology is just one piece. To protect your customers and your business, you also need security practices that address the people and processes in your company on a daily basis. “Think security” and your organization will follow.
For more information on PCI security standards and other resources to help you protect payment card data, please visit pcisecuritystandards.org.
No butts about it, CVS exits tobacco category
CVS Caremark claimed the healthcare high ground by discontinuing the sales of tobacco products but the move comes with a steep price as the company said it will lose $2 billion in revenue and experienced a 17 cents a share profits impact.
As CVS and other drug store chains have sought to play a larger role in the nation’s health care delivery system the sale of tobacco products had become increasingly inconsistent with that mission. In addition, the decision comes as tobacco usage and cigarette smoking in particular has been on a long term decline and other non-health oriented retailers such as Dollar General and Family Dollar have added tobacco to their products assortments.
"Ending the sale of cigarettes and tobacco products at CVS/pharmacy is the right thing for us to do for our customers and our company to help people on their path to better health," said president and CEO Larry J. Merlo. "Put simply, the sale of tobacco products is inconsistent with our purpose. As the delivery of health care evolves with an emphasis on better health outcomes, reducing chronic disease and controlling costs, CVS Caremark is playing an expanded role in providing care through our pharmacists and nurse practitioners. The significant action we're taking today by removing tobacco products from our retail shelves further distinguishes us in how we are serving our patients, clients and health care providers and better positions us for continued growth in the evolving health care marketplace."
Coinciding with this announcement, a Journal of the American Medical Association Viewpoint article published this week details the importance of this decision in light of the expanding role of the pharmacy industry in health care delivery. The article is co-authored by Steven A. Schroeder, director, Smoking Cessation Leadership Center, University of California, San Francisco, and CVS Caremark chief medical officer Troyen Brennan.
"CVS Caremark is continually looking for ways to promote health and reduce the burden of disease," said CVS Caremark chief medical officer Troyen A. Brennan, M.D., M.P.H. "Stopping the sale of cigarettes and tobacco will make a significant difference in reducing the chronic illnesses associated with tobacco use."
The program, to be launched this spring, is expected to include information and treatment on smoking cessation at CVS/pharmacy and MinuteClinic along with online resources. The program will be available broadly across all CVS/pharmacy and MinuteClinic locations and will offer additional programs for CVS Caremark PBM plan members to help them to quit smoking.
"Every day, all across the country, customers and patients place their trust in our 26,000 pharmacists and nurse practitioners to serve their healthcare needs," said Helena Foulkes, president of CVS/pharmacy. "Removing tobacco products from our stores is an important step in helping Americans to quit smoking and get healthy."
CVS Caremark's decision to stop selling tobacco products is consistent with the positions taken by the American Medical Association, American Heart Association, American Cancer Society, American Lung Association and American Pharmacists Association, which all have publicly opposed tobacco sales in retail outlets with pharmacies.
The company stated that its decision to exit the tobacco category does not affect the company's 2014 segment operating profit guidance, 2014 EPS guidance or the company's five-year financial projections provided at its Dec.18th Analyst Day. The company estimates that it will lose approximately $2 billion in revenues on an annual basis from the tobacco shopper, equating to approximately 17 cents per share. Given the anticipated timing for implementation of this change, the impact to 2014 earnings per share is expected to be in the range of 6 cents to 9 cents per share. The company has identified incremental opportunities that are expected to offset the profitability impact. This decision more closely aligns the company with its patients, clients and healthcare providers to improve health outcomes while controlling costs, and positions the company for continued growth.
Men’s Wearhouse expands digital footprint
Men’s Wearhouse has introduced international shipping to online customers in more than 100 countries. The company is promising affordable shipping rates and order totals guaranteed at the time of purchase to the international community.
"We have customers around the world that trust us as their menswear fashion expert but the only way they could shop with us was if they were based in the USA," said EVP Susan Neal. "Now with our International shipping option, our customers will be able to shop and ship to more than 100 countries anytime and anywhere that is convenient for them. We are thrilled to offer this service and to introduce Men’s Wearhouse to customers around the world."
Founded in 1973, Men’s Wearhouse is a specialty retailer of men’s apparel with 1,133 stores. The Men’s Wearhouse, Moores and K&G stores carry a full selection of suits, sport coats, furnishings and accessories in exclusive and non-exclusive merchandise brands and Men’s Wearhouse and Tux stores carry a limited selection. Most K&G stores carry a full selection of women’s apparel. Tuxedo rentals are available in the Men’s Wearhouse, Moores and Men’s Wearhouse and Tux stores.
Additionally, Men’s Wearhouse operates a global corporate apparel and workwear group consisting of Twin Hill in the United States and Dimensions, Alexandra and Yaffy in the United Kingdom.