3/5/2020

1

Keeping Your PCI Compliance & Inventory Management Strategies from Becoming Loss Leaders

M A R C H 5 , 2 0 2 0

To Receive CPE Credit• Individuals

Participate in entire webinar Answer polls when they are provided

• Groups

Group leader is the person who registered & logged on to the webinar Answer polls when they are provided Complete group attendance form Group leader sign bottom of form Submit group attendance form to training@bkd.com within 24 hours of webinar

• If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar

3/5/2020

2

INTRODUCTIONTim ReynoldsManaging DirectorFood & Agribusiness

• Leads BKD’s food & agribusiness team

• Kansas City, Missouri

• CPA – Kansas, Ohio, Missouri

• More than 27 years of professional service

• Specializes in providing tax & operational consulting services to food retailers & food manufacturers Helps with financial & operational performance

Helps identify & manage risk

INTRODUCTION Rex JohnsonDirectorCybersecurity

• BKD Cyber & Payment Card Industry (PCI) practice leader

• Kansas City, Missouri

• CISSP®, CISA®, CIPT, PMP®, PCIP™, QSA

• More than 25 years of professional service

• Assists organizations with cybersecurity solutions IT & security governance

Technical assessments

PCI & other compliance assessments

3/5/2020

3

Part 1:Inventory Management Strategies in the Retail Grocery Industry

PRESENT E D BY: T I M REYNOL D S

1 Inventory Shrink – The Basics

Inventory Shrink Best Practices – Key Departments

Inventory Shrink – General Best Practices

Loss Prevention – Common Best Practices

2

3

4

OUR GOALS FOR TODAY

3/5/2020

4

Inventory Shrink – The Basics

• Definition The difference between profits that SHOULD have been made

versus profits ACTUALLY made “Accounting lingo” – the unexplained difference (loss) between

expected ending inventory versus the actual inventory balance on hand when a physical inventory is taken

Financial Statements

Physical Inventory Difference

Ending Inventory $2,500,000 $2,400,000 $(100,000)

Sales = $5,000,000 Shrink = $100,000 / $5,000,000 = 2%

Inventory Shrink –The Basics• Primary sources

Theft (≈ 1/3) – customers, employees, vendors, organized crime

Operational (≈ 2/3) – customer breakage, improper storage, handling, ordering & planning by the retailer, errors with receiving, checkout (cashier) process & expired product

3/5/2020

5

Inventory Shrink –The Basics• How much?

• Shrink WILL occur ... how much will depend on Ability to acknowledge & recognize it

Ability to change the “mindset”

• Is this a broken bottle of ketchup or is it $3.99 in inventory dollars?

Commitment & discipline from the “top to the bottom” of the organization & accountability

Training, training, training!

Inventory Shrink – The Basics

• Measurement – two methods Cost method – based on retailer’s “cost” of product.

Benefits the accounting process, as it’s easier to track on the financial records

Retail method – based on what the retailer would “sell” it for. Usually higher than cost due to markup but easier to understand since it uses retail amounts (the price) & employees can relate to it better

No “right or wrong” method – close to a 50/50 split on method used in industry

3/5/2020

6

Inventory Shrink – The Basics

• Impact of shrink Money – shrink can cost retailers thousands

of dollars every year in product loss & wasted labor with cleaning, processing, etc.

Store image – consumers who discover high amounts of expired product in stores. Will they come back? Tell their friends? Post on social media? Who’s ready for that?!

Inventory Shrink – The Basics

• Signs of shrink Material “gap” between expected profit versus actual profit, or gaps

between expected inventory versus actual inventory Financial statement profit versus cash in the bank Downward trend in cash flow Lack of technology Lack of a shrink mindset at one or more levels Lack of a shrink program!

3/5/2020

7

Inventory Shrink –Produce Department

• Proper training of cashiers with product identification, ringing

• Monitoring misting, proper moisture, culling, procedures

• Proper rack display procedures – damaged product!

• Equipment maintenance – keep up!

• Movement analysis – space to sales

• Verification of “sale on” & “sale off” pricing

• Sanitation & rotation practices in the holding cooler!

Inventory Shrink – Meat & Seafood• Monitor & keep accurate records on fresh cuts for

over-under production. Too much variety may help image but it breeds spoilage!

• Strong controls on “cents-off” program• Strong controls on receiving program• Equipment maintenance – keep up!• Cutting tests to ensure proper yields• Verification of “sale on” & “sale off” pricing• Sanitation & rotation practices in the holding

cooler!

3/5/2020

8

Inventory Shrink – Deli & Bakery• Monitor sales velocity & match production –

“stale pull report”• Cross-promote – use the “food furniture!”• Monitor supply costs• Equipment maintenance, temp controls – keep

up!• New item signage & suggestive selling• Verification of “sale on” & “sale off” pricing• Sanitation & rotation practices in the holding

cooler!

Inventory Shrink – General

• Receiving – one of the most important roles in a store! Count it!

• Clean, organized back room, unloading & return areas

• Limited access for vendors – storage, disposal areas• Training on proper storage, handling, stocking

procedures• Careful placement of high-dollar or easily pilfered

items• Monitor waste areas & dumpster for discarded items• Keep records, monitor seasonal demands & trends

3/5/2020

9

Inventory Shrink –Summary• Shrink can occur in many places; however, it’s

one of the most controllable costs of operating a retail store with the proper training, a change in mindset & accountability … & minimal investment

• Surprisingly … the vast majority of independent retailers DO NOT have a shrink program as compared to larger chains. It’s an “option” versus a “fundamental” standard operating procedure!

• Consider a shrink program assessment & implement a program!

• Consider reward & appreciation programs for reductions in shrink!

Loss Prevention

• Customer service!• RFID tags on high-dollar value items• Restrooms at the front – store designs/remodels• CCTV• Back doors & exit doors secured at all times• Key controls – account for• Use clear trash bags• Dumpster/compactor controls• Train cashiers on coupon fraud, fake currency

3/5/2020

10

Loss Prevention • Train cashiers/baggers on concealed

product• Analyze register sales % to stores

sales %• Train service desk to log, spot trends

on returns• Require background checks on ALL

cashiers!• Track over/shorts – trends,

frequency, amounts• Track “no sales,” refunds, voids,

coupons, “one-cent” sales that are not consistent with pricing

• Prosecute! Set the tone!

Part 2:Understanding Payment Card Industry (PCI) Compliance

PRESENT E D BY: REX JOHNSO N

3/5/2020

11

1 What Is PCI Compliance?

Completing the PCI Assessment (ROC or SAQ)

Risks & Threats to PCI Security

Benefits to PCI Compliance

2

3

4

OUR GOALS FOR TODAY

Background on PCI Compliance

• Many years ago, the payment card brands elected to have a standard for assessing the protection of cardholder data (CHD)

• Implemented the Payment Card Industry Data Security Standard (PCI DSS)

• If an organization accepts card payment & stores, processes or transmits cardholder data, they need to be PCI DSS compliant

• PCI DSS is a set of rules, not a law, that is enforced by the payment brands & governed by the PCI Security Council

3/5/2020

12

PCI Security Standards Council

• PCI standards are required by the card brands & administered by the Payment Card Industry Security Standards Council

• Created to increase controls around cardholder data to reduce credit card fraud

• Qualifies companies & individuals to be PCI assessors, known as Qualified Security Assessors (QSA)

P2PE

Merchants & Service ProvidersPCI DSS

Secure Environment

Software Developers

PCI PA-DSS

Payment Applications

ManufacturersPCI PTS

Pin Entry Devices

How Do You Take Credit Card Payments?

Organizations (called merchants in the PCI world) typically have more than one

way to take a payment

Known as a payment channel• In person• Payment devices (POS POI)• Mail order• Online• Phone

TELEPHONE ORDERS

3/5/2020

13

Two Types of Assessments

ROC

• Report on compliance (ROC)

• Must be performed by an independent organization

• Led by a QSA

• Level 1 merchants & service providers

• Acquiring banks may elect other levels to do a ROC

SAQ

• Self-assessment questionnaire (SAQ)

• Intended to assist merchants & service providers in self-evaluating their PCI DSS compliance

• May engage a QSA to assist or perform

• Eight different types of SAQs

• All levels except Level 1

Attestation of Compliance

The organization’s bank/payment processor

(acquirer) or card brands will determine type of assessment

ROC SAQ

Level Annual Transactions Validation Actions Validated By

1 6 to 20 million • Annual on-site security audit (ROC)

**&**• Quarterly network scan

• Independent assessor (QSA) or IA with PCI training

• Scans conducted by ASV

2 1 to 6 million • Annual self-assessment questionnaire (SAQ)

**&**• Quarterly network scan

• Merchant (self-assessment)

• QSA is optional or may be directed by acquirer

• Scans conducted by ASV

3 20,000 to 1 million

4 20,000 or less • Annual SAQ & network scan recommended

PCI Levels – Merchants in General

3/5/2020

14

PCI SAQ Types

Type of SAQ depends on the type of merchant environment & confirmed by acquirer

• A: card not present merchants (e-commerce or mail/telephone order)• A-EP: e-commerce merchants who outsourced payment processing to third

parties• B: merchants using a) imprint machines or b) standalone dial-out terminals• B-IP: standalone, PTS-approved payment terminals• C-VT: manually enter a single transaction at a time virtual payment (not

e-commerce)• C: payment applications connected to the internet, no electronic CHD storage• P2PE: hardware payment terminals managed by P2PE solution (not

e-commerce)• D: all merchants not included in the above

PCI DSS RequirementsGoals PCI DSS Requirement

Build & maintain a secure network

1. Install & maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords & other security parameters

Protect cardholder data3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public

networksMaintain a vulnerability management program

5. Use & regularly update anti-virus software or programs6. Develop & maintain secure systems & applications

Implement strong access control measures

7. Restrict access to cardholder data by business need to know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly monitor & test networks10.Track & monitor all access to network resources & cardholder

data11.Regularly test security systems & processes

Maintain information security policy

12.Maintain a policy that addresses information security for all personnel

3/5/2020

15

Compensating Controls• In the event that an organization does not meet a

PCI control, the assessor can determine if compensating controls are in place

• Compensating controls worksheet is listed in the ROC template Constraints Objectives Identified risk Definition of compensating controls Validation of compensating controls Maintenance

• Must address risk & be stronger than the control it is replacing

• Management must approve compensating controls every year

Lack of PCI Compliance Can Cost

• Lost confidence & customers go to other merchants

• Diminished sales

• Cost of reissuing new payment cards

• Fines

• Fraud losses

• Higher subsequent costs of compliance

• Termination of the ability to accept credit cards

• Going out of business

3/5/2020

16

Device Tampering: Skimming

• A skimming device is a camouflaged counterfeit card reader to record the card’s information

• It will still allow the cardholder to perform their transaction

• Used at ATM machines, retail stores, restaurants & taxis

• Can sometimes be a hand-held skimmer small enough to fit into a pocket

Tokenization

• The process of replacing a credit card number (PAN) with a unique set of numbers that have no bearing on the original data

• Creates specific characters that only work during the transaction

• Reduces risk of credit card data theft or misuse

3/5/2020

17

Evolving Role of PCI

• PCI is currently on version 3.2.1 of the standard

• Multiple SAQs have evolved due to updates in technology & how cards are accepted

• Version 4.0 has been released in draft form to QSAs for review & comment

• V. 4.0 looks to Update terminology

Provide some customization

Strengthen standards to protect card data

Why Is PCI DSS Compliance Important?

• Hackers & large international organized crime target merchants & their payment channels

• High fees for noncompliance with PCI DSS At the discretion of the payment brands

$5,000 to $10,000 per month

• The fallouts of a card data breach The resulting costs can be significant

Breach could result in an average cost of $200 per card number lost

Long-term reputational effects to an organization

3/5/2020

18

Benefits of PCI Compliance• The security of cardholder data

affects everyone

• Increases security of cardholder data

• Customer confidence

• Better protection for clients

• Universal principles

• Avoidance of fines

• Reduces the cost of a breach

Questions

3/5/2020

19

Continuing Professional Education (CPE) Credit

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered

CPE Credit

• CPE credit may be awarded upon verification of participant attendance

• For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at training@bkd.com

3/5/2020

20

Thank You!Tim Reynolds Rex Johnson816.221.6300 816.489.4327treynolds@bkd.com rjohnson@bkd.com

Twitter: @RexSecurity