3/5/2020

Keeping Your PCI Compliance & Inventory Strategies from Becoming Loss Leaders

MARCH 5, 2020

To Receive CPE

• Individuals . Participate in entire webinar . Answer polls when they are provided • Groups . Group leader is the person who registered & logged on to the webinar . Answer polls when they are provided . Complete group attendance form . Group leader sign bottom of form . Submit group attendance form to [email protected] within 24 hours of webinar • If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar

1 3/5/2020

INTRODUCTION Tim Reynolds Managing Director Food & Agribusiness

• Leads BKD’s food & agribusiness team • Kansas City, Missouri • CPA – Kansas, Ohio, Missouri • More than 27 years of professional • Specializes in providing tax & operational consulting services to food retailers & food manufacturers

. Helps with financial & operational performance

. Helps identify & manage risk

INTRODUCTION Rex Johnson Director Cybersecurity

• BKD Cyber & (PCI) practice leader • Kansas City, Missouri • CISSP®, CISA®, CIPT, PMP®, PCIP™, QSA • More than 25 years of professional service • Assists with cybersecurity solutions

. IT & governance

. Technical assessments

. PCI & other compliance assessments

2 3/5/2020

Part 1: Inventory Management Strategies in the Grocery Industry

PRESENTED BY: TIM REYNOLDS

1 Inventory Shrink – The Basics OUR GOALS FOR TODAY Inventory Shrink Best Practices – Key 2 Departments

3 Inventory Shrink – General Best Practices

4 Loss Prevention – Common Best Practices

3 3/5/2020

Inventory Shrink – The Basics

• Definition . The difference between profits that SHOULD have been made versus profits ACTUALLY made . “Accounting lingo” – the unexplained difference (loss) between expected ending inventory versus the actual inventory balance on hand when a physical inventory is taken

Financial Physical Statements Inventory Difference Ending Inventory $2,500,000 $2,400,000 $(100,000)

Sales = $5,000,000 Shrink = $100,000 / $5,000,000 = 2%

Inventory Shrink – The Basics

• Primary sources

. Theft (≈ 1/3) – customers, employees, vendors, organized crime

. Operational (≈ 2/3) –customer breakage, improper storage, handling, ordering & planning by the retailer, errors with receiving, checkout (cashier) process & expired product

4 3/5/2020

Inventory Shrink – The Basics • How much? •Shrink WILL occur ... how much will depend on

. Ability to acknowledge & recognize it

. Ability to change the “mindset” • Is this a broken bottle of ketchup or is it $3.99 in inventory dollars?

. Commitment & discipline from the “top to the bottom” of the & accountability

. Training, training, training!

Inventory Shrink – The Basics

• Measurement – two methods . Cost method – based on retailer’s “cost” of product. Benefits the accounting process, as it’s easier to track on the financial records . Retail method – based on what the retailer would “sell” it for. Usually higher than cost due to markup but easier to understand since it uses retail amounts (the price) & employees can relate to it better . No “right or wrong” method – close to a 50/50 split on method used in industry

5 3/5/2020

Inventory Shrink – The Basics

• Impact of shrink . Money – shrink can cost retailers thousands of dollars every year in product loss & wasted labor with cleaning, processing, etc. . Store image – consumers who discover high amounts of expired product in stores. Will they come back? Tell their friends? Post on social media? Who’s ready for that?!

Inventory Shrink – The Basics

• Signs of shrink . Material “gap” between expected profit versus actual profit, or gaps between expected inventory versus actual inventory . Financial statement profit versus cash in the . Downward trend in cash flow . Lack of . Lack of a shrink mindset at one or more levels . Lack of a shrink program!

6 3/5/2020

Inventory Shrink – Produce Department

• Proper training of cashiers with product identification, ringing • Monitoring misting, proper moisture, culling, procedures • Proper rack display procedures – damaged product! • Equipment maintenance – keep up! • Movement analysis – space to • Verification of “sale on” & “sale off” pricing • Sanitation & rotation practices in the holding cooler!

Inventory Shrink – Meat & Seafood

• Monitor & keep accurate records on fresh cuts for over-under production. Too much variety may help image but it breeds spoilage! • Strong controls on “cents-off” program • Strong controls on receiving program • Equipment maintenance – keep up! • Cutting tests to ensure proper yields • Verification of “sale on” & “sale off” pricing • Sanitation & rotation practices in the holding cooler!

7 3/5/2020

Inventory Shrink – Deli & Bakery • Monitor sales velocity & match production – “stale pull report” • Cross-promote – use the “food furniture!” • Monitor supply costs • Equipment maintenance, temp controls – keep up! • New item signage & suggestive selling • Verification of “sale on” & “sale off” pricing • Sanitation & rotation practices in the holding cooler!

Inventory Shrink – General

• Receiving – one of the most important roles in a store! Count it! • Clean, organized back room, unloading & return areas • Limited access for vendors – storage, disposal areas • Training on proper storage, handling, stocking procedures • Careful placement of high-dollar or easily pilfered items • Monitor waste areas & dumpster for discarded items • Keep records, monitor seasonal demands & trends

8 3/5/2020

Inventory Shrink – Summary • Shrink can occur in many places; however, it’s one of the most controllable costs of operating a retail store with the proper training, a change in mindset & accountability … & minimal investment • Surprisingly … the vast majority of independent retailers DO NOT have a shrink program as compared to larger chains. It’s an “option” versus a “fundamental” standard operating procedure! • Consider a shrink program assessment & implement a program! • Consider reward & appreciation programs for reductions in shrink!

Loss Prevention

! • RFID tags on high-dollar value items • Restrooms at the front – store /remodels • CCTV • Back doors & exit doors secured at all times • Key controls – account for • Use clear trash bags • Dumpster/compactor controls • Train cashiers on coupon fraud, fake currency

9 3/5/2020

Loss Prevention

• Train cashiers/baggers on concealed product • Analyze register sales % to stores sales % • Train service desk to log, spot trends on returns • Require background checks on ALL cashiers! • Track over/shorts – trends, frequency, amounts • Track “no sales,” refunds, voids, coupons, “one-cent” sales that are not consistent with pricing • Prosecute! Set the tone!

Part 2: Understanding Payment Card Industry (PCI) Compliance

PRESENTED BY: REX JOHNSON

10 3/5/2020

1 What Is PCI Compliance? OUR GOALS FOR TODAY Completing the PCI 2 Assessment (ROC or SAQ)

3 Risks & Threats to PCI Security

4 Benefits to PCI Compliance

Background on PCI Compliance

• Many years ago, the payment card brands elected to have a standard for assessing the protection of cardholder data (CHD) • Implemented the Payment Card Industry Data Security Standard (PCI DSS) • If an organization accepts card payment & stores, processes or transmits cardholder data, they need to be PCI DSS compliant • PCI DSS is a set of rules, not a law, that is enforced by the payment brands & governed by the PCI Security Council

11 3/5/2020

PCI Security Standards Council

• PCI standards are required by the card brands & administered by the Payment Card Industry Security Standards Council • Created to increase controls around cardholder data to reduce fraud • Qualifies companies & individuals to be PCI assessors, known as Qualified Security Assessors (QSA)

Software Manufacturers Merchants & Service Developers PCI PTS Providers PCI PA-DSS Pin Entry PCI DSS Payment Devices Secure Environment Applications

P2PE

How Do You Take Credit Card Payments?

Organizations (called merchants in the PCI world) typically have more than one way to take a payment

Known as a payment channel • In person • Payment devices (POS POI)

TELEPHONE ORDERS • order • Online • Phone

12 3/5/2020

Two Types of Assessments

ROC SAQ ROC SAQ • Report on compliance (ROC) • Self-assessment questionnaire (SAQ) • Must be performed by an • Intended to assist merchants & service independent organization providers in self-evaluating their PCI • Led by a QSA DSS compliance • Level 1 merchants & service The organization’s • May engage a QSA to assist or providers bank/ (acquirer) or card perform • Acquiring may elect other brands will determine type of assessment • Eight different types of SAQs levels to do a ROC • All levels except Level 1

Attestation of Compliance

PCI Levels – Merchants in General

Level Annual Transactions Validation Actions Validated By

1 6 to 20 million • Annual on-site security • Independent audit (ROC) assessor (QSA) or **&** IA with PCI training • Quarterly network scan • Scans conducted by ASV

2 1 to 6 million • Annual self-assessment • Merchant (self- questionnaire (SAQ) assessment) 3 20,000 to 1 million **&** • QSA is optional or • Quarterly network scan may be directed by 4 20,000 or less • Annual SAQ & network acquirer scan recommended • Scans conducted by ASV

13 3/5/2020

PCI SAQ Types

Type of SAQ depends on the type of merchant environment & confirmed by acquirer • A: card not present merchants (e-commerce or mail/telephone order) • A-EP: e-commerce merchants who outsourced payment processing to third parties • B: merchants using a) imprint machines or b) standalone dial-out terminals • B-IP: standalone, PTS-approved payment terminals • C-VT: manually enter a single transaction at a time virtual payment (not e-commerce) • C: payment applications connected to the , no electronic CHD storage • P2PE: hardware payment terminals managed by P2PE solution (not e-commerce) • D: all merchants not included in the above

PCI DSS Requirements

Goals PCI DSS Requirement 1. Install & maintain a firewall configuration to protect cardholder data Build & maintain a secure network 2. Do not use vendor-supplied defaults for system passwords & other security parameters 3. Protect stored cardholder data Protect cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability 5. Use & regularly update anti-virus software or programs management program 6. Develop & maintain secure systems & applications 7. Restrict access to cardholder data by business need to know Implement strong access control measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10.Track & monitor all access to network resources & cardholder Regularly monitor & test networks data 11.Regularly test security systems & processes Maintain information security 12.Maintain a policy that addresses information security for all policy personnel

14 3/5/2020

Compensating Controls

• In the event that an organization does not meet a PCI control, the assessor can determine if compensating controls are in place • Compensating controls worksheet is listed in the ROC template . Constraints . Objectives . Identified risk . Definition of compensating controls . Validation of compensating controls . Maintenance • Must address risk & be stronger than the control it is replacing • Management must approve compensating controls every year

Lack of PCI Compliance Can Cost

• Lost confidence & customers go to other merchants • Diminished sales • Cost of reissuing new payment cards • Fines • Fraud losses • Higher subsequent costs of compliance • Termination of the ability to accept credit cards • Going out of business

15 3/5/2020

Device Tampering: Skimming

• A skimming device is a camouflaged counterfeit card reader to record the card’s information • It will still allow the cardholder to perform their transaction • Used at ATM machines, retail stores, & taxis • Can sometimes be a hand-held skimmer small enough to fit into a pocket

Tokenization

• The process of replacing a credit card number (PAN) with a unique set of numbers that have no bearing on the original data • Creates specific characters that only during the transaction • Reduces risk of credit card data theft or misuse

16 3/5/2020

Evolving Role of PCI

• PCI is currently on version 3.2.1 of the standard • Multiple SAQs have evolved due to updates in technology & how cards are accepted • Version 4.0 has been released in draft form to QSAs for review & comment • V. 4.0 looks to

. Update terminology

. Provide some customization

. Strengthen standards to protect card data

Why Is PCI DSS Compliance Important?

• Hackers & large international organized crime target merchants & their payment channels • High fees for noncompliance with PCI DSS

. At the discretion of the payment brands

. $5,000 to $10,000 per month • The fallouts of a card data breach

. The resulting costs can be significant

. Breach could result in an average cost of $200 per card number lost

. Long-term reputational effects to an organization

17 3/5/2020

Benefits of PCI Compliance

• The security of cardholder data affects everyone • Increases security of cardholder data • Customer confidence • Better protection for clients • Universal principles • Avoidance of fines • Reduces the cost of a breach

Questions

18 3/5/2020

Continuing Professional (CPE) Credit

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its : www.nasbaregistry.org

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered

CPE Credit

• CPE credit may be awarded upon verification of participant attendance • For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]

19 3/5/2020

Thank You!

Tim Reynolds Rex Johnson 816.221.6300 816.489.4327 [email protected] [email protected] Twitter: @RexSecurity

20