Compliance Scorecard: Retail Security

As a retail security manager, are you compliant with these four regulations?

SAFE Data Act

As of this writing, the U.S. House of Representatives Energy & Commerce Committee is considering HR 2577, the Secure and Fortify Electronic Data Act. The Act would require “any person engaged in interstate commerce that owns or possesses data containing personal information related to that commercial activity … to establish and implement reasonable policies and procedures regarding information security practices for the treatment and protection of personal information.”

NRF Active Shooter Guidelines

The National Retail Federation (NRF) originally created emergency response guidelines for active shooter situations in 2008. Earlier this year, it reported that it had updated the guidelines as recommended by the U.S. Department of Homeland Security.

NRF Crowd Control Guidelines

In 2010, the NRF also updated its guidelines for crowd control in advance of Black Friday. The guidelines cover how to plan for the safety of customers, associates, service providers and security personnel in preparation for high-volume promotional events including holiday sales, as well as other events such as protests, parades, sporting and political events, and citywide meetings.

PCI DSS Tokenization Guidelines

The PCI Security Standards Council released these guidelines in August to outline the basic principles governing the use of tokenization—a process by which the primary account number (PAN) or card number for payment is replaced with a surrogate value called a token. The guidance states that parts of a retailer’s system may be considered out of the scope of PCI governance if they properly use tokens. There are many caveats, however. The report states that token programs “do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s validation efforts by reducing the number of system components for which PCI DSS requirements apply. Verifying the effectiveness of a tokenization implementation is necessary and includes confirming that PAN is not retrievable from any system component removed from the scope of PCI DSS.”

Organized Retail Crime

Over the past several years, the U.S. Congress has introduced many pieces of federal legislation to combat organized retail crime (ORC), but all have failed. The most recent attempt, the Organized Retail Theft Investigation and Prosecution Act of 2010, appeared promising to many when it passed the House last November, but it was pushed off the agenda by budget issues so was never considered in the Senate.

In the absence of federal law, some states have endeavored to enact legislation to increase penalties for ORC. The most recent state bills signed into law come from Texas and Illinois. Texas House Bill 2482 removes a minimum theft value threshold of $1,500 for the offense of organized retail theft, and increases penalties based on the value of merchandise involved and the extent of the individual’s participation in the scheme. Illinois HB 6460 signed by governor Pat Quinn in February, allows prosecutors to seek forfeiture of assets of those convicted of organized retail crime.

The Security Executive Council ( is a leading problem-solving research and services organization focused on helping businesses effectively manage and mitigate risk. Our research, services, and tools work to help security leaders initiate, enhance or innovate security programs; build their leadership skills; and bring quantifiable value to their organizations.