Security Trends

Aug. 14, 2020

Ensuring business assets remain secure has always been important in convenience services. With all that goes into running a company, it is difficult to maintain tight security, let alone keep up to date on the latest trends and tools in security. The COVID-19 crisis has raised the stakes for companies since criminals seek to take advantage of people during a struggling and chaotic economy. 

Nationally, there have been roughly 60,000 reports of fraud related to COVID-19 from Jan. 1 to June 29, as well as about 4,200 incidents of credit card fraud resulting in a total dollar loss of $10 million, The Federal Trade Commission reports. 

Automatic Merchandiser reviews what vending and micro market operators need to know to safeguard their business, including what is needed for hardware, payments and liability protection.

Security hardware

As the coronavirus weakened the U.S. economy, companies are even more cognizant of the cost of their business decisions, from their expenditures to their losses, including theft.

“With the industry hit hard by the pandemic, every dollar counts right now,” Kevin Galaida, vice president of business development at Breakroom Provisions Company, Inc., said. “However, operators now also have a unique opportunity to rebuild their businesses differently and take advantage of recent technology innovations. Loss prevention, optimized efficiency and maximizing sales potential are more critical now than ever.” 

Breakroom Provisions’ Theft Detective surveillance technology, which is specifically designed for micro markets, uses artificial intelligence (AI) to recognize patterns and behaviors to help identify theft, streamline surveillance video management efforts, and improve accessibility via a cloud-based platform. This technology solution addresses challenges operators have historically faced as they operate remotely from the market, including networking and connectivity problems and having limited resources to dedicate to the loss prevention process. 

“Theft Detective improves the process each step of the way,” Galaida continued. “With Theft Detective, operators can catch three times as much theft as using conventional void/ cart cancel reports, and also identify the problems and communicate them to clients in a fraction of the time required with traditional methods. By preventing losses and reducing direct labor costs, operators can capture thousands of dollars of additional profit per year from average-sized markets.” 

Rich Morahan, a consultant for Lock America, asserted that a reduction of face-to-face transactions during the pandemic has made stealing products from unattended retail more enticing to thieves. High security locks provide the best protection against theft of products and credit card data.

“Some operators look to video surveillance systems as a deterrent and also to electronic alarm locks that alert an operator about theft,” Morahan said. “Data thieves often gain access by inserting skimming devices into kiosks. The only way to keep skimmers out is with a high security lock. An operator needs to do more than watch a thief: An operator needs to stop a thief.” 

Bryan Allen, ESS/OEM east region sales manager at Medeco, said operators should ensure their operations are efficient while also minimizing shrinkage, especially as there may be limited traffic near vending machines. Security should work consistently, regardless of environmental factors — such as extreme temperatures that outside machines may encounter — while people may intentionally damage indoor machines. He has seen a rise in the use of electronics for security, along with the necessity of being able to control access and record and audit a trail of who is accessing the equipment and when. 

“For both product replacement and collection of profits, operators want this information to have accountability for dollars and to evaluate productivity of their operations.”

Electromechanical solutions, such as the Bluetooth-enabled Medeco XT Intelligent Key system, enable operators to remotely audit and change access rights for key holders, saving them time and travel to accounts during the pandemic. 

“If you have a limited amount of field techs, a high security mechanical system with key control may be enough to secure your operation and account for who has keys to access field resources,” Allen said. “However, if you are in an environment where there is large turnover or a much greater number of employees, controlling access and having an audit of all activity may be required to maintain the desired level of security and accountability.”

High-security mechanical cylinders can help deter thieves who attempt to quickly grab cash from the machine, while intelligent cylinder locks discourage operators’ employees who may skim, as these locks provide an accountability trail. 

“Most theft is opportunistic in nature,” Allen said. “No one wants to get caught or to get fired for stealing. Any product that provides a visible audit of where people have been, when they were there and for how long will help prevent theft from occurring. If individuals within an organization know this information is being recorded and tracked, they are less likely to attempt it in the first place.” 

Wei Hsu, sales manager of BatonLock, recommends operators find a hardware security system they can adjust as their company grows or has employee turnover. Master key systems or user-changeable systems both work well with company growth, he said. With user-changeable systems, operators can use a change key to reprogram all the locks in the group of keys. If a key gets lost or if an employee with access to the keys leaves the company, operators can simply reprogram the locks. 

“Both [systems] are just $1 to $2 more per lock, so, with planning, you will save a lot of money in the long run,” Hsu said. 

Hsu also reminds operators to change locks when they acquire a company or purchase new equipment that includes preinstalled locks.

“Many people think of buying locks as a one-time purchase when it should be viewed as insurance,” he said. “You need to regularly review your locks and have key auditing at least once a year and make sure all your keys are accounted for. Many companies find that revenue increases right after a lock changes, so you should have a plan for rekeying and creating new keys every three to five years.”

Payments processing

Payments processing is another key area of security for operators. 

Steve Pidhirsky, director of product management at USA Technologies, said that due to frequent data breaches that have impacted various brands, consumers are more sensitive to the importance of securing their data and realize companies’ vulnerabilities. 

“Vending and the unattended world are the last frontier,” Pidhirsky said. “Historically, this market segment was generally perceived as low risk, thus not needing the same innovations we’ve seen in other areas.” 

As unattended retail suppliers increase their use of technologies such as AI, data analytics and payment- acceptance methods, that has changed the level of personal data involved in purchases, he noted. 

“With this knowledge and information, the risks grow, and therefore, operators and others in this industry need to be much more prepared, especially when you consider that, according to a report by Ponemon Institute, the average total cost per breach has increased from $3.54 million in 2006 to $8.19 million in 2019,” Pidhirsky said. 

Pidhirsky said the COVID-19 pandemic has brought unattended retail and contactless payments considerable attention. Committing to security best practices is crucial.

“[The pandemic] has accelerated an already increasing trend and reaffirmed the need for operators to work with trusted partners who enable them to provide a secure and seamless experience to their loyal consumers,” he said. “EMV is a good example; before, it was not deemed necessary for vending where the low-ticket items weren’t deemed at risk. But now, with higher-end products being sold, it’s an extra level of security. PCI compliance is a great start but it should be a foundation for continuous improvement and implementation of tech and security best practices around access controls, encrypting data transmission and storage, securing networks, and, of course, perpetually monitoring and testing.” 

Carly Furman, CEO of Nayax LLC, noted that EMV chip card acceptance reduces the majority of card fraud, which is counterfeit fraud, not stolen card fraud. Therefore, both contact and contactless EMV certified and enabled terminals are necessary for unattended vending and micro market small-ticket transactions, she said. 

“EMV certified and enabled terminals, like Nayax’s VPOS Touch, ensure operators and their end consumers have the most secure payment solution available and give confidence to operators,” Furman said. “Locations view consumer payment security as a priority on their premises, and this value translates to increased and repeat sales plus securing contracts with locations for unattended operators.” 

A magstripe transaction, which is not EMV compliant, is easily subject to credit card theft, as the magnetic stripe carries static credit card information, Furman explained. A thief could place a skimmer on a non-EMV reader to extract that information and make duplicate cards, resulting in counterfeit card fraud. Conversely, EMV transactions utilize the chip in the card and create a dynamic transaction each time, making stealing the credit card information at the terminal almost impossible. 

Recently, VISA announced that signatures are no longer required for attended transactions, regardless of the amount of the transaction.

“This supports our business model and reinforces our message that EMV acceptance (not PIN pad or signature) reduces the majority of card fraud — counterfeit fraud — since many credit cards do not have a PIN pad anyway,” she said. 

By the end of 2020, credit card companies intend to release 300 million contactless cards in the U.S., she said. Payment solutions providers should be aware of all regulations and initiatives to ensure the safety of payments and that customers may select from multiple payment options, including contactless and mobile app payments. Nayax devices do not require touching a PIN pad and reduce cash handling. 

“Nayax has the philosophy that we want operators to be able to take all of the available payment methods in the most secure methods possible,” Furman said.

It is important to use devices that use 4G LTE, as 2G and 3G towers are being phased out in the next few years, Furman noted.

“You’re not going to have telemetry data and you’re not going to be able to accept credit cards if the devices aren’t able to connect to towers,” Furman explained. “Now is the perfect time for vending and micro market operators to upgrade to an EMV certified and enabled payment solution that accepts all payment types since 2G/3G/CDMA networks are being sunset by the cellular carriers, requiring new device upgrades to 4G LTE anyway. The value of having a cutting-edge payment solution that also leverages revenue- boosting capabilities like loyalty and advertising results in a quick return on investment.” 

Legal issues

Heather Bailey, partner at SmithAmundsen LLC, encourages operators to work closely with their insurance brokers so they are properly insured in case of COVID-19 claims from customers or employees. Operators need to keep track of all federal and local regulations and executive order guidance on health and safety during the pandemic. One law that operators — especially those with fewer than 500 employees — should be familiar with is the Families First law, which is part of the CARES Act. 

“Generally, employees who are affected by COVID either by testing positive, having positive family members they are taking care of or being unable to work due to school and day care closings, must be provided paid sick leave in certain instances,” Bailey said. “This currently is in effect until the end of 2020. Thus, seek guidance from labor and employment counsel to confirm you are paying out sick pay in accordance with the law.” 

Workers’ compensation is one of the most significant issues that will come up this year, Bailey added. During the coronavirus pandemic, operators should have COVID-19 questionnaires available in case an employee tests positive or is presumed to have contracted the coronavirus, as this will lessen the likelihood that the employee got the virus at work, Bailey said. Awareness that employees have recently traveled or are living with someone who has contracted COVID may diminish the risk on a workers’ compensation claim and even OSHA liability, she noted. 

Operators may want to have customers sign waivers.

“While you cannot have employees sign a release of claims related to COVID-19 since such claims are covered by workers’ compensation and cannot be waived, depending on where you are located, you could look at having customers sign such waivers,” Bailey said. “Getting counsel involved to properly draft such a waiver is recommended.” 

It is also critical to address any incidents of harassment or discrimination and ensure related policies are up to date.

“Moreover, your management team should be trained on looking for xenophobic behavior by employees towards those of Asian or Chinese descent since many people inaccurately assume they are carrying the virus,” Bailey said. “You must ward off those discrimination and harassment types of behavior.” 

She anticipates ADA and religious requests for accommodation will rise in response to face mask requirements.

“Employers have a duty to enter into the interactive process to see if there is a reasonable accommodation for the employee,” she said. 

Operators should also prepare for employment issues that could arise this year. Non-exempt hourly employees need to be logging and reporting their worked hours correctly, and all time worked must be recorded, Bailey noted. There are several apps and tools available that operators can use with their employees who work remotely.

Workers may decline to come back to work if they are making more money on unemployment, she added. Operators should ask their local unemployment office for guidance if they find themselves in this situation. 

“This type of behavior could put their unemployment in jeopardy,” Bailey said. “An employee on unemployment has a duty to be ready, willing and able to return to work. As an employer, generally, you have a duty to let the unemployment office know that you did offer them a job and they turned it down.”