w h i t e pa p e r PRESERVING PROFITS Attacking Fraud & Theft at the Point of Sale January 2014

Transcription

1 w h i t e pa p e r PRESERVING PROFITS Attacking Fraud & Theft at the Point of Sale January 2014

2 Attacking Fraud & Theft at the Point of Sale Employee theft accounts for the highest percentage of retail shrink in North America more than the percentage of theft from traditional shoplifters or outside organized retail criminals. In the rest of the world, it s a close second to shoplifting. The latest statistics indicate employee theft is growing annually by 5.5%. 1 Assuming a bottom line profit of 5%, retailers would have to sell $2,000 in merchandise to make up for every $100 stolen by an employee. (5% of $2,000 = $100) Clearly, employee theft impacts the bottom line. Sources of Inventory Shrink Employee theft is the largest source of inventory shrink Source: National Retail Security Survey Unknown Error 4% Vendor Error 4% Admin Error 14% Employee Theft 43% Shoplifting 35% Getting What You Paid For The American Payroll association states that 5% of payroll is fraudulent. This is the result of one employee clocking in for a fellow employee that has not arrived at work or they could be clocking out for an employee who left work hours ago. Paying an employee when they are not at work is a very real expense. Not providing service to demanding customers can result in immediate lost sales and customers not returning to a store in the future due to poor service levels. Employee payroll fraud and poor service levels will have a negative impact to payroll expenses, customer sales and service levels. Executive Summary In retail, one of the greatest points of theft vulnerability is at the Point of Sale (POS). This paper reveals current POS employee theft statistics and quantifies the exposure retailer s face when relying on common methods of signing into the POS, such as PINs, passwords, swipe cards and keys. These increasingly antiquated authentication methods can be easily shared, lost, stolen or forgotten resulting in greater risk and little-to-no accountability at the POS. An increasing number of retail enterprises are turning to biometrics to improve accountability, reduce payroll fraud and deter employee theft. Increased accountability has proven to be a strong deterrent to theft. In addition, retailers have discovered that fingerprint biometrics decrease transaction times. Biometrics Reduce payroll fraud & employee theft Decrease transaction theft Improve accountability Increase profits **** Antiquated credentials PINs, passwords, cards and keys Easily stolen, lost, forgotten No accountability 2 Preserving Profits: Attacking Fraud & Theft at the Point of Sale

3 Employee Theft Challenges & Statistics The retail sector is particularly susceptible to employee theft, primarily as a result of low wages and high staff turnover. No employer wants to think their employees are untrustworthy and dishonest but statistics tell a different story: One out of every 40 employees was apprehended for theft from their employer. 2 34% of all 18- to 29-year-old employees believe it is justifiable to steal from their employer. 3 Employees feel they are entitled to more than they are getting. Dishonest employees steal approximately 5.5 times the amount stolen by shoplifters ($ vs. $129.12) on a per-case average. 4 Average shrinkage is 1.41% of sales (at retail). 5 One-third of all business failures each year are attributed to employee theft. 6 Less than 5% of all retail theft losses are ever recovered. For every $1 recovered, companies said $25 was still lost to retail theft. 7 Attempts to redeem what was lost from employee theft equates to more time and money than it is worth. 8 Loss prevention experts say the majority of internal theft happens at the POS terminal. The concern is that many of these thefts are not detectable by normal audit procedures and that it is the small transactions at the counter, where the biggest losses can occur. 9 One of three workers (18-29) believe stealing from their employer is justified. Authentication Method is Key The type of authentication used to log into the POS is the key to risk exposure. Traditional POS security methods such as passwords, PINs, swipe cards and keys are easily shared. Often, store associates know the manager s password or because the manager is busy, store associates are handed a swipe card or key enabling them to discount or void transactions, repeatedly. Often, a manager will leave their swipe card or key at a POS terminal. The use of biometrics forces the manager to do their job and ties the individual, irrefutably, to the transaction. The irrefutable accountability becomes the deterrent to fraud. 3 Preserving Profits: Attacking Fraud & Theft at the Point of Sale

4 Passwords, PINs, Swipe Cards & Keys: Ineffective, Expensive Solutions When asked about fraudulent transactions entered using passwords, PINs, swipe cards and keys, employees can easily deny they were involved. An employee in question can simply say, someone must know my password or someone must have my swipe card. Relying on these ineffective solutions leaves cash and credit cards vulnerable. It s difficult to determine who is accessing your POS system and who is responsible for specific transactions. Passwords and PINs Passwords and PINs, the most commonly used methods of authentication, are often thought to be the most cost-effective method of authentication, but retailers find the potential theft risk often outweighs any cost savings. Market studies reveal the following behaviors: Many easily share their passwords/pins with employees and friends to complete tasks or to fraudulently punch/clock in or out. Passwords/PINs can be observed and obtained by other workers due to the close working proximity. Often the password or PIN is selected based on ease of memorability, not on the strength. Most use the same or similar passwords/pins for multiple applications. Swipe Cards & Keys Swipe cards and keys present additional challenges: They are easily borrowed or stolen. Employees often lose them or forget to bring them to work. They are easily passed between employees for fraudulent use. Override Transactions In a rush to complete daily tasks, supervisors may circumvent guidelines by sharing override passwords, PINs, keys or swipe cards with employees to complete processing exceptions (such as voids, returns, refunds, discounts, zero or changed price overrides). For retail chains relying on management passcodes, employees may shoulder surf and later use passcodes for future theft opportunities. Once employees have the manager s swipe card or know the manager s password, they can void transactions and pocket the cash. 4 Preserving Profits: Attacking Fraud & Theft at the Point of Sale

5 Time Theft Beyond inventory and cash, losses also include time theft or payroll fraud. 60% of employees in retail admitted to time theft in Buddy-punching, the act of a worker clocking in or out for another, is a major contributor towards payroll fraud: Buddy-punching accounts for up to 5% of gross payroll according to The American Payroll Association of 4 organizations experience buddy-punching % of employees surveyed, buddy punched for one another at least once in a year. 13 Figure 1: Estimating Buddy Punching Costs (2% or 5%) as Compared to Initial Biometrics Cost Annual Costs of Payroll Fraud (Buddy Punching) # of locations # employees per location Annual Payroll Cost (# Employees) x ($10.00/hr) x (25hrs/wk) x(52wks) Profit 2% Payroll Fraud Profit 5% Payroll Fraud $26,000,000 $520,000 $1,300,000 Return on Investment (ROI) of Implementation using Crossmatch Biometrics # of locations # terminals per location Cost for U.are.U 4500 biometric readers Payback 2% loss 2% Loss $35, weeks 1360% Buddy-punching results in lost productivity and indicates the company is not serving customers at the highest level. 14 Missing staff impacts customer service, resulting in lost sales and decreased customer visits. Another adverse impact is that while the dishonest employee appreciates the additional time off, honest employees resent the dishonest behavior which is not good for morale. A preventive solution, such as using biometrics to clock in and out, ensures only the scheduled employee clocked themselves in or out. The typical return on investment for implementing biometrics, assuming the lower 2% payroll fraud rate, is less than 4 weeks as shown above. Organizational Costs Traditional authentication methods generate significant organizational costs that often go unnoticed. For example, when users forget passwords or leave cards at home, both Helpdesk hours and cashier downtime increase, impacting both costs and service levels at the POS. When a manager is busy managing and assigning new PINs or swipe cards to employees who forgot them, it costs valuable time. Management also needs to oversee and maintain card or key inventories, driving costs up while eroding productivity. 5 Preserving Profits: Attacking Fraud & Theft at the Point of Sale

6 Data Breach Risk: The Biggest Potential Cost Two out of three breaches exploit weak or stolen passwords. Across the board, hackers are focused on compromising identities, according to the 2014 Verizon Data Breach Report. 15 Weak or default passwords lead to many of the point-of-sale attacks. One easily hacked password or PIN could result in an expensive security data breach. When a company s authentication method is based on something you know or have such as a password, almost anyone can enter a compromised password or use a stolen swipe card to collect credit card numbers. While many store and corporate level employees do not need to comply with CISP/PCI DSS requirements, there are those that do. Biometrics is a perfect fit for those required to use strong passwords that have to be changed every 90 days. Strong authentication protection is essential for meeting the payment card industry s CISP/PCI DSS compliance requirements. Most passwords are simply not enough protection against hackers trying to access systems to download customer credit card numbers. Loss of Efficiency = Loss of Customer Satisfaction Efficiency at the POS terminal is crucial as it affects customer service and perception. According to the 2013 Shopper Experience Study 16 on a scale of 1 (least important) to 5 (most important): Inefficient or inaccurate checkout process (4.3) is the #1 rated dislike during store checkout. Fast, easy checkout (3.9) is the top rated factor for influencing in-store purchase decisions. Customer satisfaction depends on the time of queuing, as well as the time of undertaking a transaction at the counter. 17 The constant typing of passwords/pins, inserting of keys, or swiping of cards, only slows down transactions, resulting in longer wait times and brand deterioration. POS terminals are often set to time out after a short period of inactivity. A store associate returning to the POS terminal after helping a customer with a selection then needs to log back on to the terminal. Biometrics requires only a simple touch of a finger for an immediate authentication and logon to the POS terminal. The authentication is fast and completely transparent to the customer. Identity, Efficiency and Accountability: Fingerprint Biometrics is the Solution Fingerprint biometrics is quickly growing in popularity as a more secure and efficient alternative to traditional authentication methods. According to a Networld Alliance Retail and Food Service Survey, Over 70% of survey respondents are considering a switch to biometrics. 18 There are six key advantages fingerprint biometrics offers: 1. Eliminates Time and Attendance Fraud Requiring employees to scan their fingerprint to clock in can eliminate the possibility of buddy-punching. Fingerprint biometrics provide consistently accurate clocking information that reduces labor costs and increases productivity. 19 They also mitigate conflict in the workplace resulting from peer pressure to help friends with unethical practices. Additional cost savings can be obtained from employees clocking in at their POS stations. This ensures they are ready to assist customers at their scheduled times. It reduces time lost due to lollygagging (walking from the back office time clock and visiting other departments in route to a POS station). 6 Preserving Profits: Attacking Fraud & Theft at the Point of Sale

7 The retail chain Meijer estimates its employees were spending at least 12 minutes a day walking from the time clock to POS stations. With Meijer having more than 75,000 employees, biometrics had a significant impact. 2. Protects and Deters Theft Through Accountability Unique to each person, fingerprint templates provide unmistakable identification. Fingerprint readers are the only available method to achieve [this level of] data integrity, unequivocally linking an individual to his or her work record. 20 Knowing that one s fingerprint identity is tied to the transaction deters theft and fraud while encouraging ethical conduct. Canadian retailer, Holt Renfrew relies on fingerprints to prevent commissioned employees from processing returns against another employee s sign on. Fingerprint authentication protects employees by giving them appropriate credit and preventing false blame. They ensure only authorized personnel have access to systems and are present at the time of authorization. With fingerprints: Employees know their actions are tied to their identities. Employees can t pretend to be someone they are not. Credentials cannot be shared or otherwise compromised. Transaction accountability is greatly improved. 3. Reduces Manager Override Fraud Fingerprint biometrics eliminates the practice of sharing credentials with others and ensures that only authorized managers process voids and refunds. With biometrics, you know for sure the manager was present at the time of the override. Managers simply touch the fingerprint reader to approve exceptions. 4. Speeds Transaction Time Employees simply touch the fingerprint reader and they are immediately authenticated and ready to perform POS transactions. Retailers find using fingerprint authentication improves transaction times. Customers don t have to wait for the employee to sign in. Fingerprint biometrics also prevents downtime because, unlike other methods, no one forgets their finger. Efficiency and increased productivity lead to greater customer satisfaction. 5. Reduces Operational Expenses Fingerprint biometrics eliminates many expenses associated with other authentication methods including: Eliminates costs of replacing keys and swipe cards. Prevents Helpdesk calls for forgotten passwords, PINs and missing cards. Eliminates more intentional and unintentional human errors Simplify CISP/PCI DSS Compliance The credit card industry requires retailers to protect access to data. By using fingerprints, retailers can easily meet these PCI strong authentication requirements: #2 Don t use vendor-supplied defaults for passwords. #3 Protect stored cardholder data. #7 Restrict access to cardholder data. #8 Assign unique IDs to each employee. 7 Preserving Profits: Attacking Fraud & Theft at the Point of Sale

8 Biometrics The most accurate way to collect employee time and attendance information. 22 Offers the only available method to achieve [this level of] data integrity, unequivocally linking an individual to his or her work record. 23 Eliminates more intentional and unintentional human errors. 24 Provides consistently accurate clocking information that reduces labor costs and increases productivity. 25 Crossmatch Fingerprint Readers The Competitive Advantage Many Crossmatch customers view fingerprint biometrics at the POS as a distinct competitive advantage because of the resulting cost savings, security and improved customer service. Customers typically report seeing an immediate cost savings and achieve an ROI within the first 4 weeks of deployment. Many companies including, Meijer, are strategically expanding the use of Crossmatch fingerprint biometric readers, reducing employee theft while improving their service levels. More than 90% of hardware and software vendors that have biometrically enabled their solutions have chosen Crossmatch technology. Most POS software has Crossmatch biometric support already built in. Contact Crossmatch or your POS software provider to ensure your version of software is biometrics enabled. 8 Preserving Profits: Attacking Fraud & Theft at the Point of Sale

9 References 1. Jack L. Hayes International Inc., 25th Annual Retail Theft Survey, 2013, from 2. Jack L. Hayes International Inc., 25th Annual Retail Theft Survey, 2013, from 3. Blair Chancey, Security Check, 2013, from 4. Jack L. Hayes International Inc., 25th Annual Retail Theft Survey, 2013, from 5. Jack L. Hayes International Inc., 25th Annual Retail Theft Survey, 2013, from 6. National Federation of Independent Business, Preventing Employee Theft, 2013, from 7. Jack L. Hayes International Inc., 25th Annual Retail Theft Survey, 2013, from 8. Natt O. Reifler, Employee Theft: What You Don t Know Can Hurt You, October 2008, p. 26, Franchising World 9. Understanding and Avoiding Retail Fraud,2009, Grant Thornton, LLP, William Olsen 10. Christine A. Henle, Charlie L. Reeve & Virginia E. Pitts, Stealing Time at Work: Attitudes, Social Pressure, and Perceived Control as Predictors of Time Theft, 2010, p. 53, Journal of Business Ethics 11. Acuity Market Intelligence, Biometrics: High-Value Workforce Management, February 2008, p Oloyede Muhtahir, Adedoyin Adeyinka & Adewole Kayode, Fingerprint Biometric Authentication for Enhancing Staff Attendance System, February 2013, p. 20, from Nucleus Research Study 14. John West, From Theft to Best: Turning Time into Productivity, December 2009, p. 11, from Data Breach Investigations Report, Verizon, Joe Skorupa & Adam Blair, Rise of the Individual Shopper, June 2013, p , from 4th Annual 2013 Shopper Experience Study: Enabling Retail Without Boundaries 17. Michal Polasik, Jakub Gorka, Gracjan Wilczewski, Janusz Kunkowski & Karolina Przenajkowska, Time Efficiency of Point-of-Sale Payment Methods: Preliminary Results, December 2010, from Journal of Internet Banking & Commerce 18. Networld Alliance Retail and Food Service Survey, Time is Money in the Workplace, June 17, 2010, p. 15, from Finweek 20. Acuity Market Intelligence, Biometrics: High-Value Workforce Management, February 2008, p Acuity Market Intelligence, Biometrics: High-Value Workforce Management, February 2008, p Oloyede Muhtahir, Adedoyin Adeyinka & Adewole Kayode, Fingerprint Biometric Authentication for Enhancing Staff Attendance System, February 2013, p. 20, from Acuity Market Intelligence, Biometrics: High-Value Workforce Management, February 2008, p Acuity Market Intelligence, Biometrics: High-Value Workforce Management, February 2008, p Time is Money in the Workplace, June 17, 2010, p. 15, from Finweek 9 Preserving Profits: Attacking Fraud & Theft at the Point of Sale

10 About Crossmatch TO LEARN MORE For more information, visit or contact us at: In North America, call: In EMEA, call: In Asia, call: Crossmatch helps organizations solve their identity management challenges through biometrics. We empower governments, law enforcement agencies, banks, retailers and other enterprises to mitigate risk, drive productivity and improve service levels. Our solutions are built on consultative expertise, refined best practices and the application of advanced biometrics technologies. Crossmatch understands the forces of change in the markets we serve and we develop solutions that anticipate customer requirements. Our network of consultative and technical service experts collaborate with customers in more than 80 countries worldwide. Learn more at DISCLAIMER THE INFORMATION IN THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS DOCUMENT ARE BELIEVED TO BE ACCURATE BUT CROSSMATCH MAKES NO CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION. CROSSMATCH SPECIFICALLY DISCLAIMS ALL WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS OR COMPLIANCE WITH ANY NATIONAL, STATE OR LOCAL LEGAL OR REGULATORY REQUIREMENTS OF ANY KIND. Crossmatch 3950 RCA Boulevard Palm Beach Gardens, FL USA Tel: Fax: Copyright 2014 Cross Match Technologies, Inc. All rights reserved. Specifications are subject to change without prior notice. The Crossmatch logo, Crossmatch, Cross Match, L Scan, D Scan, I Scan, Guardian, SEEK and Verifier are trademarks or registered trademarks of Cross Match Technologies, Inc. in the United States and other countries. DigitalPersona, TouchChip, Eikon, U.are.U and FingerJet are trademarks or registered trademarks of DigitalPersona, Inc., which is owned by the parent company of Cross Match Technologies, Inc. All other brand and product names are trademarks or registered trademarks of their respective owners.