Right on the Money
A conversation with banking and retail security professionals reveals how funding, PCI compliance, fraud and the recession make securing their banking, financial and retail facilities a challenge.
Money moves from bank to retailer and back to bank. Just as important, personal information accompanies any electronic transaction. Security magazine editor Diane Ritchey and SDM magazine editor Laura Stepanek brought together financial, banking and retail professionals and a security integrator to discuss how their industries are similar but yet have such differing security needs from other segments.
Diane Ritchey: What do you think are some of the unique needs and security concerns for your bank and versus another vertical market?
John Deerin: We have two distinct and consistent threats year in year out. Bank robbery still remains a very active problem, and that is our primary concern on the physical security side. On the non-physical side fraud, of all types, is the ongoing and never ending concern to banks. On the bank robbery side, it’s all about the safety of our clients and employees. That’s the number one concern in bank robbery. Fraud is our greatest threat to the bottom line and also from a confidence standpoint. We also maintain a tremendous amount of non-public personal information that has to be protected just like we protect the money in our vault.
Dave Merrick: I think most retailers today are very concerned about PCI requirements and keeping credit card data secure. Even the small convenience store has the same level of compliance requirements that larger facilities would have today.
Diane Ritchey: Lou, you probably have a lot of insight into this area as well.
Louis DeFalco: There are four tiers of PCI. The big-box stores, such as Kmart, Wal-Mart and Target are at tier one. We were at three in the old standards, and now we have gone up to level two. I have instituted card reader systems and video access into our security areas and card systems. We are encrypted at store level, and nothing is decrypted until it gets back here. Like many retailers, we have gone to the type of Telepad systems where retailers aren’t even taking possession of the cards anymore just to limit the ability of fraud. But it protects the companies to get paid as long as we have a signature, an approval code and a clean swipe. PCI compliance is big, and we have actually brought some ethical hackers into the system just to make sure that we are as good as we can get.
Diane Ritchey: Dave, do you have additional comments on this coming from the integrator side?
Dave Merrick: I wanted to address some of the items that convenience stores and fuel companies may have in relation to some of the things they are very concerned about today. In addition to PCI compliance, with the cost of fuel being so high, convenience stores are very concerned about drive offs. Every time fuel begins to rise to $4 a gallon, their level of drive offs correspond accordingly. That’s a very, very big, important thing, so license plate recognition and facial recognition are critical. Just like banks, they are vulnerable to robbery and protecting employees is very important. So POS integration has become extremely important for them. Today, those types of retailers are looking at what’s happening in their stores on a daily basis, using video in order to make certain stores are properly staffed, that the lines are within tolerable levels in terms of people waiting to get serviced, and things like that. Security is certainly becoming more multi-dimensional for them.
Larry DeBlasio: There is an increased use of security for non-traditional purposes. For example, we monitor employee flow into the building in the morning rush hour to make sure we have sufficient staff on hand. I think this gives security a multi-faceted intrinsic value, especially when you consider the cost associated with security equipment.
Dave Merrick: That’s a very good point, Larry. If you tack on customer counting during points of the day when the traffic may be high and using the camera to look at people coming in and going out of the location, you can rationalize your traffic in relation to sales, by opening later or closing earlier.
Larry DeBlasio: It is important for the organization’s leadership to view security executives as trusted advisors and subject matter experts. When they feel comfortable that we understand not only the security environment but also their business concerns, then the support and counsel we provide has greater credibility. That makes it more likely that business leaders will come to us for solutions.
Dave Merrick: If you look at a video camera as a set of eyes, it doesn’t matter whether that set of eyes is present ahead of a security person, an ops person or a marketing person, as long as they are seeing what they would like to see within a store serving their particular jurisdiction.
Diane Ritchey: Has the recession made your role more difficult? Larry, have you seen significant changes in loss prevention or crime in your organization?
Larry DeBlasio: Well, the challenge we face is that our current economic environment is causing crime to go up – making it necessary to increase our security services. On the other hand, because of the environment, we’re being asked to keep our costs down. To accomplish both goals, we use an intelligence-supported approach to resource deployment in a random strategic manner. We also work very closely with our public and private sector partners and our internal communications staff to aggressively promote security awareness for our employees.
Diane Ritchey:John, you have a unique perspective of being in a bank environment and we do see data from the FBI that talks about bank robberies. What’s your experience with the recession in crime?
John Deerin: Surprisingly, the bank robbery numbers have actually gone down a fair amount in the last couple of years. For the most part the bank security industry maintains robust preventative measures. For example, our financial institution utilizes armed security officers. But fraud is consistently high and problematic. Credit card and debit card counterfeiting are very active. Whether the escalation in fraud is related to ongoing economic conditions or the heightened cyber environment is unknown to me. At our relatively small community bank we utilize a fraud detection software program to detect not only fraud but money laundering as well. Larger banks are manned by large teams of employees monitoring this activity.
Louis DeFalco: We have never been a big target for robberies as your typical liquor store; we are not a typical liquor store chain. Our cash controls are extremely tight, we use time-lock safes, and based on recent national statistics, fraud has gone up 300 percent in the last couple of years. We have had POS integration for many years; that is key to controlling in-store fraud and external fraud as well. We have IP cameras – we have very high-end systems at our stores. Some other retailers are extremely vulnerable because their companies have that mentality that we are kept in a box and an expense. I have created incentive programs and bonus programs for the employees if they capture a fake credit card or a fake ID or counterfeit money. I started tracking what we are saving, and we have saved the company just in employee reimbursement for fraud and theft and settlements with shoplifting programs and working with law enforcement. You have to keep your foot on the gas, take it a day at a time and just see what comes your way.
John Deerin: When it comes to combating those types of issues, partner with both your local law enforcement and with your peers in your geographic area so that you share information on a regular basis. So if there are trends that they are seeing that you are not, you are ahead of the curve.
Louis DeFalco: The biggest thing in retail concerns the protection of their employees – they by far suffer the most numbers of murders of staff on onsite; I think they average about a 1,000 per year. Trial lawyers have become very adept at understanding the dos and don’ts of duty-to-protect legislations. Companies might lose big because a security function that was supposed to be working at the time was not and may have added to the vulnerability of a particular employee, customer or visitor. Second, we have seen a lot of copper theft, and this has do with the shuttering of locations across the country. One of our largest chain retail grocery stores shut down about 60 sites over the past year, and every time they shut down they would get a flood of people in there stealing as much copper as possible. Because of the requirements of their lease, they had to restore all that was stolen to the tune of about $160,000 per location. That’s very important, especially as it relates to office buildings with a lot of copper medium on the roof for HVAC programs. Third, retailers used to spend about 5 percent of their gross sales on security-related expenses. That has gone down to about 3.7 percent or 3.8 percent in 2009. Now, it has gone back up again because their requirements are to get back into the old technologies and upgrade them entirely with some of the new things that are available. Loss prevention department and retail look at themselves as profit preservers because they know firsthand that they don’t need every dollar they save from shoplifting.
Diane Ritchey: Dave, can you explain what you have found useful in terms of funding?
Dave Merrick: The retailers I work with are significantly larger. Return on investment is a big word. It has been in the industry for a long time. When retailers look at implementing a new technology, they look at what’s going to be their return on their investment. The other area is compliance-related costs. We have a compliance program inspector who provides for false alarm regulation management and also the application management of permits. There are currently 1,200 permits across the country that relate to the operation and jurisdiction of the alarm system. All of our retailers have to have those completely up-to-date and operable. So the return on investment for them has been incredible. In fact, we began to do false alarm analysis with some of our larger customers – they were paying upwards of $1 million a year in false alarms that never anybody looked at because it just hit the individual store budgets.
Diane Ritchey:John, you are a bit different because you are guided by so many regulations in your bank. Outside of that, how do you secure new funding?
John Deerin: Our funding is pretty consistent in the bank security business. I am speaking for my current bank, but I was with a large financial institution for 15 years and talked to my colleagues all the time. I think the funding remains fairly stable, but I am sure there are budget challenges, and they try to look for cost-saving opportunities. But bottom line is we maintain a pretty consistent level of funding. I think the executive management of banks always understands that they need to afford the best security possible to protect their employees and customers. So I would say the environment hasn’t affected us much in that regard.
Dave Merrick: John, when the bank industry has a loss in terms of people escaping with cash, what is the rate of recovery?
John Deerin: That’s a great question. There are two primary ways we lose money. One is on the bank robbery side and the other from fraud. These losses are categorized as “non-credit losses.” Fraud typically represents 90 percent of non-credit losses. So, bank robbery is really a non-money issue. The recovery level for both robbery and fraud is typically not significant. It’s all about prevention in our business, as I’m sure is similar in regards to other retail security.
Dave Merrick: Diane, that’s a good point that John has made – in retail, the slips and falls are easy payouts. For example, I go into a grocery store, I throw a bunch of eggs on the floor, they crack, and I slip and fall. If there is no camera there, they just see me and my fall. I am leaving there with the check for anywhere between $12,000 and $15,000. So that’s one of the reasons why prevention is so important.
Diane Ritchey: Larry, speaking from a corporate view, how do you secure new funding?
Larry DeBlasio: The senior management team at Prudential is very supportive of our program. They understand that we’re prudent with our budget and that we make intelligent choices. We use Cap Index for risk assessment and we consult with the business units to fully understand their current and future needs so that we can apply resources appropriately. We also work with ASIS, and we utilize the latest technology to provide services more effectively. We, we have built strong relationship within the business units and we are seen as trusted advisors and subject matter experts. And we have a proven track record of success in our collaborative approach to finding solutions to business unit security concerns. These two factors make it easier for us to get the funding we need.
Diane Ritchey: Lou, you mentioned some ways you are saving money, such as listing employee incentive programs, but what else are you doing to secure funding?
Louis DeFalco: Well, when they recruited me seven years ago, they were still using VCRs and two cameras on a 10,000- to 15,000-square-foot business model. When they hired me to come in and fix the problems, it was a culture change that was needed…ABC chain is a family-owned business. I think any retailer has to deal with the corporate environment; even with a family-owned business, you have all of those hoops to jumps through. Coming from Las Vegas, I didn’t have the budgetary restrictions that we do in this world. So I had to look at a lot of different avenues on where I could secure funding. My ROI took me about 6 months; I actually purchased some very small, low-end, store-safe, 40 gig, nine-camera DVR units to get them a little acclimated to digital technology. The proposal was about a 15-minute proposal, and we pulled the trigger on a $2 million investment that paid for itself within 6 months. I have been continuously tracking things. It has been a culture change and a team effort. If it wasn’t for my support staff and all of the things that we have done in accounting, in the stores, cultures, in the field management, we wouldn’t be where we are now. I think all of those aspects put together secured that funding because now the owners know exactly what we are saving. They shared some of the numbers of what this has saved them overall. Their shrink numbers were two percent or three percent on $1 billion. We have been sitting at less than one-quarter of one percent for the last five years straight. It is a huge amount of money, so you can show justification for it.
Larry DeBlasio: Twice a year we formally survey Prudential senior executives and a random sampling of other associates to understand how secure they feel on the job. The survey often gives us great ideas for new security initiatives. The survey helps make sure that we provide the services our management and employees value and need.
Diane Ritchey: John, what’s on your technology wish list that you could employ either today or in the future if money was no object?
John Deerin: I am not an IT security person in any form or fashion, but I will say that cyber crime is extremely concerning to me. So on my wish list would be IT security firewalls, intrusion detection, all of those high-tech things that have biometrics integrated, whether it’s at the retail store at the credit card level presentation with continued enhancement of video. We are probably already there and getting better all the time, but you can’t get too good as far as the video that you have. And again I think that most of that’s there but I’d like to integrate it with the alarm systems and with our monitoring company having the ability to monitor video as well. Last, I would say on the fraud side, I’d like to continue to have programs that give us an ability to prevent losses, which is definitely where we want to be on the prevention side of things.
Larry DeBlasio: We’re using video enhancements, including IP cameras with analytics quite extensively. Staying on the cutting edge of technology allows us to enhance our security toolkit. We’re exploring the use of secured wireless devices and their application in urban as well as suburban environments.
Louis DeFalco: On the IT side, we don’t spend as much time as I guarantee the banks do, but we do spend a significant amount of time on credit card fraud and check fraud. There are different things out there now to help with that. We can work closer with the banks and the credit card companies – a lot of them like keeping things close to the vest and getting information out of them to try to secure funds; that’s one of the reasons why we went to the other kind of debit pad system. Biometrics is another thing that I have already been looking at and for a while. We actually Beta tested a new time-lock safe with biometrics. That’s going to be the new wave even on the credit and debit side of pads. As soon as we find a way to plug the hole, the bad guys find another way in. It’s a constant battle and never ending. If we had unlimited resources, it sure would make our job easier. But the reality is we have to keep pounding away day in and day out trying to stay a step ahead of the bad guys.
Dave Merrick: I want to dovetail what John had said about banks. One of the venues where facial recognition technology has been extremely dependable has been in the banking institutions because the facial recognition cameras are looking at people who are relatively still for a period of time. So I know that one company in particular out of California called 3VR has done remarkable work with banks and being able to track people going into specific branches who may have bad intentions. Also, retail is headed toward private networks – they are getting their life safety and asset protection technologies off their main IT backbones and on to separate networks, which would be managed by companies like us. That creates fewer headaches in terms of managing. It also gets rid of the hodgepodge of POTS lines and all types of things across to retailers. It’s maybe several hundreds dollars a month in charges, but they remain unseen until people really take a look at them. I think those are major things we will see coming in the next year or two.
More Bank Robberies, Fewer Burglaries at Banks
According to the latest Bank Crime Statistics report from the Federal Bureau of Investigation, during the third quarter 2010, U.S. financial institutions reported 1,325 bank robberies, burglaries, larcenies or extortions, an increase from the 1,212 reported violations in the same quarter of 2009. Specifically, there were 1,310 robberies, 13 burglaries, two larcenies and six extortions of financial institutions reported. Not all bank crimes are reported to the FBI.
Some highlights from the report:
The Roundtable Participants
Lawrence DeBlasio is a director in Global Security and head of the Domestic Security and Asset Protection Group at Prudential, which is responsible for security force operations, the command center and all physical security projects. Prior to joining Prudential in 2006, DeBlasio had 18 years of experience providing security services to various public and private sector firms, including the Bank of New York, where he was assistant vice president for security operations and Chase Manhattan Bank, where he was responsible for the security of the ATM Network. DeBlasio has a bachelor of science degree in management and organizational behavior from New York University Stern School of Business. DeBlasio is a member of ASIS, the New York City Area Police Private Security Liaison, the Newark Downtown District Security Task Force, and the National Association of Chiefs of Police. He is a board member with the Newark FBI Citizens Academy Alumni Association; and co-chair of the Prudential Volunteer Council. He also has served as a Big Brother Big Sister Work Place Mentor.
Louis DeFalco has been in the Law Enforcement, Safety, Security and Investigations field for more than 30 years. He worked as a Narcotics and Gang Unit Detective for the Las Vegas Metropolitan Police Department. He was the director of security and surveillance for three prestigious hotel and casinos in Las Vegas, Nevada and was the previous owner of Worldwide Investigations located in both Nevada and California. DeFalco also is the writer and co-developer of an industry specific software program that covers all Fire, Life Safety, and Security issues for the hospitality industry to include ADA Compliance and Terrorist Preparedness pre- and post- incident. He is currently the director of safety, security and investigations for the largest privately held liquor store chain in the country, ABC Fine Wine and Spirits with 1,900 employees and 160 stores across the state of Florida.
John Deerin is the security director for The Bank of Tampa in Tampa, Fla. With assets in excess of $950 million, The Bank of Tampa is the largest independently owned bank in Hillsborough County and the 12th largest independent bank in Florida. As the bank’s security director, Deerin is responsible for all aspects of the security of the financial institution, its employees and its clients. Deerin is also the Bank Secrecy Officer and is responsible for directing the Bank’s anti-money laundering program. Deerin started his banking career in 1987 with the Barnett Bank of Florida as a credit card fraud investigator. He was then promoted to regional manager of corporate security for the west coast of Florida responsible for the overall security of more than 250 bank offices. He remained in this position during Barnett Bank’s merger with Bank of America before joining The Bank of Tampa in 2002. Prior to his banking career, Deerin was a police officer for 10 years, rising to the rank of sergeant. He graduated from Florida State University with a bachelor’s degree in criminology and attended graduate school at the University of South Carolina’s School of Criminal Justice.
Dave Merrick began his career in the electronic security industry during 1979. Since that time he has held various sales and marketing management positions, first with Automatic Detection Systems and then Triple A Protection, a Pennsylvania based regional supplier of residential and commercial electronic security and uniformed guard services. In 1999, he became part of Vector Security, and today serves as vice president of marketing. In this capacity, Merrick works with Vector’s various business models including the National Accounts Division, Authorized Dealer Program, Builder Services Division, Corporate Acquisitions and Vector’s branch office network. His responsibilities include the development of print, electronic and on-line based advertising and marketing programs and support collateral and the development of public relations materials.