Keeping Your PCI Compliance & Inventory Management ......3/5/2020 1 Keeping Your PCI Compliance &...
Transcript of Keeping Your PCI Compliance & Inventory Management ......3/5/2020 1 Keeping Your PCI Compliance &...
3/5/2020
1
Keeping Your PCI Compliance & Inventory Management Strategies from Becoming Loss Leaders
M A R C H 5 , 2 0 2 0
To Receive CPE Credit• Individuals
Participate in entire webinar Answer polls when they are provided
• Groups
Group leader is the person who registered & logged on to the webinar Answer polls when they are provided Complete group attendance form Group leader sign bottom of form Submit group attendance form to [email protected] within 24 hours of webinar
• If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar
3/5/2020
2
INTRODUCTIONTim ReynoldsManaging DirectorFood & Agribusiness
• Leads BKD’s food & agribusiness team
• Kansas City, Missouri
• CPA – Kansas, Ohio, Missouri
• More than 27 years of professional service
• Specializes in providing tax & operational consulting services to food retailers & food manufacturers Helps with financial & operational performance
Helps identify & manage risk
INTRODUCTION Rex JohnsonDirectorCybersecurity
• BKD Cyber & Payment Card Industry (PCI) practice leader
• Kansas City, Missouri
• CISSP®, CISA®, CIPT, PMP®, PCIP™, QSA
• More than 25 years of professional service
• Assists organizations with cybersecurity solutions IT & security governance
Technical assessments
PCI & other compliance assessments
3/5/2020
3
Part 1:Inventory Management Strategies in the Retail Grocery Industry
PRESENT E D BY: T I M REYNOL D S
1 Inventory Shrink – The Basics
Inventory Shrink Best Practices – Key Departments
Inventory Shrink – General Best Practices
Loss Prevention – Common Best Practices
2
3
4
OUR GOALS FOR TODAY
3/5/2020
4
Inventory Shrink – The Basics
• Definition The difference between profits that SHOULD have been made
versus profits ACTUALLY made “Accounting lingo” – the unexplained difference (loss) between
expected ending inventory versus the actual inventory balance on hand when a physical inventory is taken
Financial Statements
Physical Inventory Difference
Ending Inventory $2,500,000 $2,400,000 $(100,000)
Sales = $5,000,000 Shrink = $100,000 / $5,000,000 = 2%
Inventory Shrink –The Basics• Primary sources
Theft (≈ 1/3) – customers, employees, vendors, organized crime
Operational (≈ 2/3) – customer breakage, improper storage, handling, ordering & planning by the retailer, errors with receiving, checkout (cashier) process & expired product
3/5/2020
5
Inventory Shrink –The Basics• How much?
• Shrink WILL occur ... how much will depend on Ability to acknowledge & recognize it
Ability to change the “mindset”
• Is this a broken bottle of ketchup or is it $3.99 in inventory dollars?
Commitment & discipline from the “top to the bottom” of the organization & accountability
Training, training, training!
Inventory Shrink – The Basics
• Measurement – two methods Cost method – based on retailer’s “cost” of product.
Benefits the accounting process, as it’s easier to track on the financial records
Retail method – based on what the retailer would “sell” it for. Usually higher than cost due to markup but easier to understand since it uses retail amounts (the price) & employees can relate to it better
No “right or wrong” method – close to a 50/50 split on method used in industry
3/5/2020
6
Inventory Shrink – The Basics
• Impact of shrink Money – shrink can cost retailers thousands
of dollars every year in product loss & wasted labor with cleaning, processing, etc.
Store image – consumers who discover high amounts of expired product in stores. Will they come back? Tell their friends? Post on social media? Who’s ready for that?!
Inventory Shrink – The Basics
• Signs of shrink Material “gap” between expected profit versus actual profit, or gaps
between expected inventory versus actual inventory Financial statement profit versus cash in the bank Downward trend in cash flow Lack of technology Lack of a shrink mindset at one or more levels Lack of a shrink program!
3/5/2020
7
Inventory Shrink –Produce Department
• Proper training of cashiers with product identification, ringing
• Monitoring misting, proper moisture, culling, procedures
• Proper rack display procedures – damaged product!
• Equipment maintenance – keep up!
• Movement analysis – space to sales
• Verification of “sale on” & “sale off” pricing
• Sanitation & rotation practices in the holding cooler!
Inventory Shrink – Meat & Seafood• Monitor & keep accurate records on fresh cuts for
over-under production. Too much variety may help image but it breeds spoilage!
• Strong controls on “cents-off” program• Strong controls on receiving program• Equipment maintenance – keep up!• Cutting tests to ensure proper yields• Verification of “sale on” & “sale off” pricing• Sanitation & rotation practices in the holding
cooler!
3/5/2020
8
Inventory Shrink – Deli & Bakery• Monitor sales velocity & match production –
“stale pull report”• Cross-promote – use the “food furniture!”• Monitor supply costs• Equipment maintenance, temp controls – keep
up!• New item signage & suggestive selling• Verification of “sale on” & “sale off” pricing• Sanitation & rotation practices in the holding
cooler!
Inventory Shrink – General
• Receiving – one of the most important roles in a store! Count it!
• Clean, organized back room, unloading & return areas
• Limited access for vendors – storage, disposal areas• Training on proper storage, handling, stocking
procedures• Careful placement of high-dollar or easily pilfered
items• Monitor waste areas & dumpster for discarded items• Keep records, monitor seasonal demands & trends
3/5/2020
9
Inventory Shrink –Summary• Shrink can occur in many places; however, it’s
one of the most controllable costs of operating a retail store with the proper training, a change in mindset & accountability … & minimal investment
• Surprisingly … the vast majority of independent retailers DO NOT have a shrink program as compared to larger chains. It’s an “option” versus a “fundamental” standard operating procedure!
• Consider a shrink program assessment & implement a program!
• Consider reward & appreciation programs for reductions in shrink!
Loss Prevention
• Customer service!• RFID tags on high-dollar value items• Restrooms at the front – store designs/remodels• CCTV• Back doors & exit doors secured at all times• Key controls – account for• Use clear trash bags• Dumpster/compactor controls• Train cashiers on coupon fraud, fake currency
3/5/2020
10
Loss Prevention • Train cashiers/baggers on concealed
product• Analyze register sales % to stores
sales %• Train service desk to log, spot trends
on returns• Require background checks on ALL
cashiers!• Track over/shorts – trends,
frequency, amounts• Track “no sales,” refunds, voids,
coupons, “one-cent” sales that are not consistent with pricing
• Prosecute! Set the tone!
Part 2:Understanding Payment Card Industry (PCI) Compliance
PRESENT E D BY: REX JOHNSO N
3/5/2020
11
1 What Is PCI Compliance?
Completing the PCI Assessment (ROC or SAQ)
Risks & Threats to PCI Security
Benefits to PCI Compliance
2
3
4
OUR GOALS FOR TODAY
Background on PCI Compliance
• Many years ago, the payment card brands elected to have a standard for assessing the protection of cardholder data (CHD)
• Implemented the Payment Card Industry Data Security Standard (PCI DSS)
• If an organization accepts card payment & stores, processes or transmits cardholder data, they need to be PCI DSS compliant
• PCI DSS is a set of rules, not a law, that is enforced by the payment brands & governed by the PCI Security Council
3/5/2020
12
PCI Security Standards Council
• PCI standards are required by the card brands & administered by the Payment Card Industry Security Standards Council
• Created to increase controls around cardholder data to reduce credit card fraud
• Qualifies companies & individuals to be PCI assessors, known as Qualified Security Assessors (QSA)
P2PE
Merchants & Service ProvidersPCI DSS
Secure Environment
Software Developers
PCI PA-DSS
Payment Applications
ManufacturersPCI PTS
Pin Entry Devices
How Do You Take Credit Card Payments?
Organizations (called merchants in the PCI world) typically have more than one
way to take a payment
Known as a payment channel• In person• Payment devices (POS POI)• Mail order• Online• Phone
TELEPHONE ORDERS
3/5/2020
13
Two Types of Assessments
ROC
• Report on compliance (ROC)
• Must be performed by an independent organization
• Led by a QSA
• Level 1 merchants & service providers
• Acquiring banks may elect other levels to do a ROC
SAQ
• Self-assessment questionnaire (SAQ)
• Intended to assist merchants & service providers in self-evaluating their PCI DSS compliance
• May engage a QSA to assist or perform
• Eight different types of SAQs
• All levels except Level 1
Attestation of Compliance
The organization’s bank/payment processor
(acquirer) or card brands will determine type of assessment
ROC SAQ
Level Annual Transactions Validation Actions Validated By
1 6 to 20 million • Annual on-site security audit (ROC)
**&**• Quarterly network scan
• Independent assessor (QSA) or IA with PCI training
• Scans conducted by ASV
2 1 to 6 million • Annual self-assessment questionnaire (SAQ)
**&**• Quarterly network scan
• Merchant (self-assessment)
• QSA is optional or may be directed by acquirer
• Scans conducted by ASV
3 20,000 to 1 million
4 20,000 or less • Annual SAQ & network scan recommended
PCI Levels – Merchants in General
3/5/2020
14
PCI SAQ Types
Type of SAQ depends on the type of merchant environment & confirmed by acquirer
• A: card not present merchants (e-commerce or mail/telephone order)• A-EP: e-commerce merchants who outsourced payment processing to third
parties• B: merchants using a) imprint machines or b) standalone dial-out terminals• B-IP: standalone, PTS-approved payment terminals• C-VT: manually enter a single transaction at a time virtual payment (not
e-commerce)• C: payment applications connected to the internet, no electronic CHD storage• P2PE: hardware payment terminals managed by P2PE solution (not
e-commerce)• D: all merchants not included in the above
PCI DSS RequirementsGoals PCI DSS Requirement
Build & maintain a secure network
1. Install & maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords & other security parameters
Protect cardholder data3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public
networksMaintain a vulnerability management program
5. Use & regularly update anti-virus software or programs6. Develop & maintain secure systems & applications
Implement strong access control measures
7. Restrict access to cardholder data by business need to know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly monitor & test networks10.Track & monitor all access to network resources & cardholder
data11.Regularly test security systems & processes
Maintain information security policy
12.Maintain a policy that addresses information security for all personnel
3/5/2020
15
Compensating Controls• In the event that an organization does not meet a
PCI control, the assessor can determine if compensating controls are in place
• Compensating controls worksheet is listed in the ROC template Constraints Objectives Identified risk Definition of compensating controls Validation of compensating controls Maintenance
• Must address risk & be stronger than the control it is replacing
• Management must approve compensating controls every year
Lack of PCI Compliance Can Cost
• Lost confidence & customers go to other merchants
• Diminished sales
• Cost of reissuing new payment cards
• Fines
• Fraud losses
• Higher subsequent costs of compliance
• Termination of the ability to accept credit cards
• Going out of business
3/5/2020
16
Device Tampering: Skimming
• A skimming device is a camouflaged counterfeit card reader to record the card’s information
• It will still allow the cardholder to perform their transaction
• Used at ATM machines, retail stores, restaurants & taxis
• Can sometimes be a hand-held skimmer small enough to fit into a pocket
Tokenization
• The process of replacing a credit card number (PAN) with a unique set of numbers that have no bearing on the original data
• Creates specific characters that only work during the transaction
• Reduces risk of credit card data theft or misuse
3/5/2020
17
Evolving Role of PCI
• PCI is currently on version 3.2.1 of the standard
• Multiple SAQs have evolved due to updates in technology & how cards are accepted
• Version 4.0 has been released in draft form to QSAs for review & comment
• V. 4.0 looks to Update terminology
Provide some customization
Strengthen standards to protect card data
Why Is PCI DSS Compliance Important?
• Hackers & large international organized crime target merchants & their payment channels
• High fees for noncompliance with PCI DSS At the discretion of the payment brands
$5,000 to $10,000 per month
• The fallouts of a card data breach The resulting costs can be significant
Breach could result in an average cost of $200 per card number lost
Long-term reputational effects to an organization
3/5/2020
18
Benefits of PCI Compliance• The security of cardholder data
affects everyone
• Increases security of cardholder data
• Customer confidence
• Better protection for clients
• Universal principles
• Avoidance of fines
• Reduces the cost of a breach
Questions
3/5/2020
19
Continuing Professional Education (CPE) Credit
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org
The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered
CPE Credit
• CPE credit may be awarded upon verification of participant attendance
• For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]
3/5/2020
20
Thank You!Tim Reynolds Rex Johnson816.221.6300 [email protected] [email protected]
Twitter: @RexSecurity