How to prevent and detect employee data theft

Merchant Account Types

Merchant Account Providers

News & Advice

Merchant Account Tools

Merchant Account Guide > Merchant Account News > How to prevent and detect employee data theft

How to prevent and detect employee data theft

Are your employees stealing from your customers?

While good employees are the backbone of your business, unscrupulous ones can be your biggest security risk. They can steal not only from you, but also from your customers by accessing and selling their credit card data.

How employee data theft occurs
Employee data theft occurs in a number of ways. Sometimes it's simply a matter of restaurant servers jotting down credit card numbers or taking a picture of them with their cellphones when they take cards from customers to process payment.

More computer-savvy employees may hack into a store's credit card processing network.

"Internal employees can use the same avenues as external hackers, but because they're working for the company they might have more knowledge about where things are stored and what the POS system is doing," says Brad Chronister, senior manager of security consulting services at ControlScan, a Payment Card Industry Data Security Standard (PCI DSS) compliance and security company. Managers who have access to back-office servers that interact with POS systems can steal data stored on them, for example. employee-data-theft

But the biggest problem today is employees skimming credit cards, according to D.B. "Libby" Libhart, president of LL Training and Consultant Group and its subsidiary, LossBusters, which specializes in safety, security and loss prevention.

"It often starts out with an employee who is working at a retailer or a restaurant and making minimum wage or close to it," Libhart says. "Organized crime rings either recruit these workers or plant them. They are outfitted with a portable skimmer -- available on the Internet for a few hundred dollars -- and then they're paid for every credit card they skim into this device."

The skimmer, filled with all the customer information downloaded off the credit card's magnetic stripe, is then returned to the crime ring. The employee is generally paid $20 to $25 for every card skimmed, Libhart says.

The organized crime ring uses the information to clone credit cards and then purchases high-end goods, such as crystal, diamonds and electronics, before reselling the items on eBay or to a fence (someone who knowingly purchases criminally acquired goods) for cash.

Still another potential source of data theft is IT vendors who service a merchant's POS and computer systems.

"While you may not consider them your employees, they are working directly with your organization for things like daily patching and firewall updates," Chronister says. "They can set up back doors [into POS systems] that they can utilize to get into the environment without the merchant's knowledge."

Data theft consequences
No matter how employees steal data, it's not only the credit card customer who will suffer the consequences.

"If the card networks believe -- and they don't have to have proof -- that a card has been breached at a specific merchant, they can institute fines upon that merchant. That's one of the biggest challenges that we have when we talk about data breaches in the industry," says Liz Garner, director of commerce and entrepreneurship at the National Restaurant Association.

Other consequences for merchants include chargebacks on credit cards that got compromised. Worse yet, "if a business doesn't take precautions against this kind of theft, or if it becomes a chronic problem, the credit card companies have the option of cutting off service to the merchant," Libhart says.

Steps for preventing employee data theft
Before you can prevent incidents of employee data theft, you have to understand what it entails. That means educating yourself about skimming, POS, network security and similar potential threats.

After that, you need to educate your employees.

"Employees might not have been exposed to concepts like credit card security, PCI and data security in general," Chronister says. "They have to understand what it means, what their responsibilities are and what the consequences of data theft are. I've actually seen some security awareness training programs that led to a hacker getting caught."

One of the most important things to cover in an employee training session is what a skimmer looks like, so that employees can recognize them and take action.

"[Business owners] have to train supervisors on the skimming scam and what to look for," Libhart says. "They should have in their policies and procedures prohibitions of unauthorized portable skimmers on their premises."

Monitoring access to your network and to your credit card data is crucial.

"If you give a manager the administrator passwords to all the systems, the manager can then turn around and grant somebody outside the environment access," Chronister says. Merchants should ensure that passwords and similar information are provided only to those who really need them, and that those trusted with such information understand that they are not to share it with anyone.

Chronister recommends that merchants create logs to monitor access to networks or set up their computer systems to create alerts when a new account is created, a new hole in a firewall is opened up or several unsuccessful attempts are made to log into the system. All of these could indicate unauthorized individuals, whether employees or external hackers, are trying to gain access to credit card data.

If such technology is out of your range of expertise, "seek a professional who has both security and IT knowledge," Chronister says. Ask those professionals about security and POS certifications. For example, there's a new PCI certification -- "qualified integrators or resellers (QIR) -- that indicates an IT company knows how to install a POS system in a PCI-compliant manner.

Catching employee thieves
If a customer or law enforcement agencies complain about a possible credit card compromise at your business, you should react quickly, Libhart says.

Steps to take include:

Pinpointing the time and date of the suspected transaction if possible
Identifying the employee who handled the transaction
Comparing the time and date of suspected transaction with employee schedules
Reviewing security video if available
If there are multiple instances, developing a chart comparing times and dates with employee schedules
Cooperating with law enforcement and credit card processing companies
Bringing in a loss prevention professional to assist with the investigation
Avoiding speculation until the facts are known

Published: November 6,2023

Comments or Questions, Library of Stories

Three most recent Data security stories:

5 ways your store could be hacked – While some data thieves may concentrate their efforts on the big retailers, small merchants can be victims as well ...
6 ways online merchants can combat card-not-present fraud – The adoption of EMV technology could cause criminals to shift their attention from stores to online merchants. Don't let yourself be a soft target ...
4 excuses small merchants make for ignoring data security – Here are some of the most common excuses small merchants make to avoid PCI compliance, according to experts -- and why you should stop making them ...