Keep an eye on temps, and other holiday season security tips for retailers

Computerworld - Temporary workers brought in to help during the busy holiday shopping season can sometimes pose a data security risk for companies.

Retailers that hire temporary help need to keep a watchful eye on them to reduce the risk of data compromises, said Bob Russo, general manager of the PCI Security Standards Council. The council oversees the implementation of mandatory security standards for protecting credit and debit card data across the payment industry.

With many retailers hiring temporary workers to handle extra business, vigilance is key, Russo said. "Management needs to hover at this time of the year, especially with temps," he said. Temporary workers who handle credit card data or are involved in any form of payment processing need to follow appropriate security procedures. Proper access controls also need to be in place to prevent temporary workers from gaining access to other systems, he said.

Training and background checks also need to be done as much as possible, he said. "When you hire somebody as a full-time employee, you have time to do independent checks. You can't do that at the end of the year when you are trying to make the Christmas rush and you have about 40 to 45 days to make money," he said. But if there is a way to perform checks, even if it is simply verifying references, it's important to do so, he said. "You've got to hope for the best but plan for the worst," in such cases, he said.

Here are some other measures that security experts suggest retailers take to minimize data compromise risks during the holiday season:

Monitor the use of temporary cash registers and handheld scanners. Many retailers tend to increase their use of handheld scanners and satellite cash registers to speed up the payment process during the busy season.

It's a good idea to bolster physical security around these devices to ensure they are not tampered with, Russo said. Without monitoring, it's easier to install a card-skimming device on a satellite register for instance, than it is in on a point-of-sale device in a permanent checkout lane. Look also for signs of tampering with PoS devices, such as raised or broken seals, he said. Install additional video cameras to monitor the use of such devices.

Review log data daily. System and transaction logs can reveal a lot of information about the security of a payment system. Checking them daily for red flags is a good idea at any time, but even more so during the holidays, Russo said."Though you might not be able to stop a data breach, you can mitigate them if you are watching those logs daily. It's a pretty common sense kind of thing," he said.

Assign more staff to perform manual reviews of suspected/suspended transactions. The fraud detection systems that online retailers use can sometimes flag legitimate transactions. "It's generally better to manually review suspect and suspended transactions that may be legitimate rather than lose good sales and customers by rejecting them outright," said Avivah Litan, an analyst with Gartner Inc.

Implement "hard" firewall policies. Use a white list of known good addresses to preclude the possibility of card and payment data going anywhere outside the enterprise firewall except to your payment processor, Litan said. Also train or refresh call center and customer service staff on fraud prevention procedures. "Social engineering of call center representatives is a favorite ploy of the fraudsters," she said.

Read more about security in Computerworld's Security Knowledge Center.