May
01
2014
May 1st, 2014 by Mike Spence

I know that security is never fun to talk about.  People hate thinking about theft.  So let’s call this a conversation about ‘preventative maintenance’ instead.

1.  Don’t have the same employee code for everyone.  Have the employees use an individual code for clocking in and for taking orders.  It does not take much to setup and it’s not that hard for employees to get.

2.  Go through your security settings and make sure that employees don’t have the ability to re-open tickets or void tickets once completed.   While you are at it, make sure it takes a level 9 security to change security levels!

3.  Check that you don’t have any 100% or open discounts without security.  If you do, place a manager or owner level security on them.

4.  Don’t let employees open the cash drawer with a key.  It only leads to problems with the cash.

5.  Check your audit reports as well as your employee summary report every once in a while.  When employees know you are on top of things, they are less likely to try and steal.

 

There you go, five short, easy methods of security that you can implement.

 

Posted in Employees, Order Entry, theft Tagged with: ,

Jan
02
2014
January 2nd, 2014 by Mike Spence

In case I haven’t said it already – Happy New Year!  With the new year comes a time for reflection on the past year as well as an eagerness to improve in the next one.  I was talking to Eric (our Customer Service Manager) the other day and asked him what he thought our customers should review from the previous year.  His response?

Security.  Our customers often setup their security levels when they first setup SP-1.  For some of our customers, that is also the same time they are opening their brand new business.  It is always a good idea to go through the security settings and audits so our customers can see if they need any modifications.

 

Sounds like good advice to me!  Here are a few things to consider:

  • Security levels: Who has access to what features?  Does your employee need access to past days reporting or is today good enough?  What about voiding tickets, deleting items or changing deliveries?  Let us go through these settings with you and recap what is important.
  • Employee Access:  Are each of your employees using their own code or card to access the system?  If not, maybe consider moving to that.
  • Cash Accountability:  Could you use a second cash drawer so you can separate out which employee did what?  What about a second or third insert for shift changes?
I hope that some of this makes you think about how SP-1 by SelbySoft can help assist your growth in 2014!
Mike.

Posted in Technology, theft Tagged with: ,

Sep
04
2012
September 4th, 2012 by Mike Spence

Security is important.  I think we all agree about that!  The question is how to best set it up?

First, we have to talk about how security levels in SP-1 work to begin with.  SP-1 supports eleven different levels for employees.    Each employee is assigned a number that represents what their minimum security level is.  So, if you assign an employee level 3, they can do anything that requires a 0,1,2 or 3 level password.

The first security level is actually blank – If an employee has no security level number in their file then they can only clock in and out.  This allows you to use that security for bakers, prep personnel etc.  This security level has no access to any other function of the software.

The others are 0 through 9.  Below are some suggestions as to what levels should be used for.

Level 3 – We recommend that this be used for shift supervisors or assistant managers.

Level 5 – We recommend that this be used for an in the store manager level.

Level 7 – Recommended level for any area or district managers when using multiple locations.

Level 9 – Owner level security.

Using this as a template give you the ability to still have areas for growth!

 

Posted in Employees, Order Entry, theft Tagged with:

Jan
12
2012
January 12th, 2012 by Mike Spence

PCI DSS is confusing stuff.    The fact is that as a business that processes, stores or transmits credit card data, you are required to validate your compliance with the PCI-DSS standards.

Note that I said you have to validate.  That does not mean that your data is safe!    Most stores are responsible for completing an annual Self Assessment Questionnaire (SAQ) and a quarterly report from an Authorized Security Vendor (ASV) that you have passed a network scan.

Note that the PCI SAQ C-2 is the document that most of our customers are required to fill out.  It’s 26 pages long and considered the “shortened version”.

So, what does it say?  In short, use common sense.    There are 11 sections to the document and each has its own particular bit of verification.   NOTE, don’t take any of the following as legal advice or as the final word on how to fill out your PCI documents!

1)   Installed a firewall and have it configured properly.  Hopefully you have secured your WiFi and separated it from your POS system.

2)  Don’t use default passwords .  We won’t let you  do this in version 7.60 and above but you still need to do it with your  other passwords in Windows, your router etc.

3)  Protect cardholder data.  Make sure that your POS does not store data and insure that the credit card numbers are masked etc.  Don’t write credit card numbers down and use an integrated solution.

4)  Encrypt transmission of the card data on networks.   We encrypt the data per standards between the local nodes on the network.

5)  Use an anti-virus.  We like Microsoft Security Essentials.

6)  Develop & maintain secure systems.   Make sure you maintain your  POS with the most updated version .  Also your  Windows critical updates need to be kept up to date.

7)  Restrict access to cardholder data to people that need it. Since the cards are not stored in SP-1, this is handled.  If you write numbers down and save them, then you are opening a whole other can of worms.

8)  Assign unique ID’s to each person  with POS access.  You do have unique employee ID’s right?

9)  Restrict physical access to cardholder data.  Since we don’t store cardholder data this should be a no brainier.  If you write numbers down for some reason you need to have polices and procedures in place to insure that the data is not taken off site.   Also, they need to be destroyed and secured in store (i.e. locked) until they are destroyed.

11) Test your processes and security systems.  Make sure that you have a way to see if the network has been comprimised (hacked).   Even just USB drives plugged in, software downloaded that is not approved or a wireless devices installed can through this question.  Make sure you don’t let your POS become a home computer.    Also, you have to have an qualified internal or external party perform a quarterly scan.

12) Maintain a policy that addresses information security.    This concerns a lot of security  issues in your store.  One of the things most stores have never thought about is that you must have policies and procedures in place as far as employee electronic devices.  Yes you are supposed to have a list of which employees are allowed to have what type of electronic devices in your store!

Posted in POS Features, Technology Tagged with: , ,

Jul
26
2011
July 26th, 2011 by Mike Spence



Are you really secure?  Let’s ask some questions:


Do you review the security levels in SP-1 from time to time?  

If not, you should.  It’s vital to check over what access employees and managers have.  Remember that your store evolves over time.  Call us to make sure what your employees are currently allowed to do. 

Are you checking that your password is not being used by anyone else?

Check the audit reports we offer and compare them to the times you and your manager work.  If you see those employee codes used when you are not there, then you have a problem! 

Do you change your password on a regular basis?
I hope so!  In 7.60 and above, you are required (PCI / PA-DSS Standards) to change your password every 90 days.  If you are not doing that now, you should be.  It’s one of the best ways to insure you employees don’t have access to your system. 


Are you using “hard” passwords?
Is your password “1234” or your name?  That’s not OK and we all know it.  Your passwords should be at least seven characters with a combination of letters and numbers. 


Do you allow Windows access?
This is a tough one.  In some cases you may have to.  If you don’t have a specific need to, then make sure you set SP-1 up to be maximized at all times.  This helps eliminate the ability to access Windows.  If you do allow employee access, then check the Internet Explorer history on a  regular basis to see what your employees are doing online. 

What about checking your Audit Reports with Customer Service?
Call us on this.  Seriously – you need to ask about this.  Basically, we can show you any ticket that has been altered or reduced and help you stay on top of theft. 

Do your employees have a separate code to clock in?  What about employee cards or fingerprint ID?

Please don’t use one employee code or card for everyone in your store!  If you have to use codes then make sure each employee has their own.  This will allow you to track who is doing what and when! 

Hopefully, you answered all of these correctly!  If you didn’t then you might want to call us to review how we can make sure you are as safe from theft as possible. 






Contact us at:
SelbySoft
Mike Spence
800-454-4434
Sales@SelbySoft.com
WWW.SelbySoft.com
8326 Woodland Ave. E
Puyallup Wa 98371

Posted in Technology Tagged with: ,

Oct
14
2010
October 14th, 2010 by ssadmin
Employee Security

It’s true, the days of one and two letter employee passwords are gone.  Chances are you might be one of the people that created an employee code and then used 123 as your password.
In order to better safeguard our customers and to insure our customers are in compliance with PCI and PA-DSS regulations for credit card systems, we have moved to providing secure employee password systems in the SP-1 POS system.
In versions 7.60 and above, you are required to have passwords that meet industry standards for security.
Employee Password Specifications:
  • Must be 7 characters or more.
  • Must contain a combination of numbers and letters
  • Must expire every 90 days.
  • Will not allow for the same password to be used within last 4 times.
  • SHA-512 Cryptographic Hash system for password security.  http://en.wikipedia.org/wiki/SHA_hash_functions
  • Employee lock outs after multiple failed attempts

In addition to this, all the employees access is being tracked and logged as well!

The great news with all of this is to insure that your system is as secure as possible!  For those of you that are dreading typing long complex passwords. . . Implement the Card Swipe or Fingerprint ID – With those items you don’t have to type the password every time!

Contact us at:
SelbySoft
Mike Spence
800-454-4434
Sales@SelbySoft.com
WWW.SelbySoft.com
8326 Woodland Ave. E
Puyallup Wa 98371

Posted in Employees, theft, Uncategorized Tagged with: , ,

Feb
16
2010
February 16th, 2010 by ssadmin

I’m finally back on the blogs for each week . . . We are getting ready for two big shows that are coming up and have had some interest in showing off our Fingerprint ID Security System at these shows.

One of the things that we have heard more about in the last year is the incidents of employee theft increasing.

So what is a Fingerprint ID System and how does it work? These units are connected to the software and then either sit on the counter or attach to a monitor. They are designed to allow the employee to use any one of their fingers to both clock in to the system and to be used as an id for employee tracking.

What this means to you is that you will have a complete piece of mind when dealing with your employees. For instance, you can reduce the incidents for employee time theft easily. So, when the employee wants to have a buddy clock in for him . . . can’t happen.

But this works both ways. . . If you assign employees to cash drawers (future blog topic?), then the fingerprint helps that employee feel secure. Let’s play this out. . .

Bob is assigned to a cash drawer – he is the only person that should be handling the money at the counter. Now, Bob walks away and Susie knows his four digit code. She enters that, hits no sale and pockets the cash. Bob get’s blamed. So, what if we use the employee swipe card instead? Same scenario. . .

Susie walks up, grabs the card Bob left behind, swipes it and steals the money. Bob get’s blamed. Finally, let’s play this out with a fingerprint. . .

Susie walks up and . . . Nothing – she can’t open the drawer. Bob is secure in knowing that the cash in the drawer is his responsibility and that it is accurate.

So, if you have a fingerprint through us – use it! If not, call us and ask how we can implement it in your location.

Contact us at:
SelbySoft
Mike Spence
800-454-4434
Sales@SelbySoft.com
WWW.SelbySoft.com
8326 Woodland Ave. E
Puyallup Wa 98371

Posted in Employees, Hardware, Uncategorized Tagged with:

Dec
15
2009
December 15th, 2009 by ssadmin

Security Levels! I know it’s not the most exciting topic but I am amazed by the number of stores that have open levels of security for their employees. Security is important so you can remain on top of who is doing what and when. After all, you lock your doors right?

SP-1 has 11 levels of security available. The first ten are labeled 0 through 9 with 9 being the highest. The 11th level is by leaving the security code blank.

Let’s tackle some of these. . .
The blank security code is the most interesting to start with. By entering an employee and leaving their security code blank, you are telling SP-1 that this employee will ONLY be allowed to clock in and out. They cannot access any other area of the program. This is great for having cleaning staff or anyone else that you track time with but is not actually working on the POS.

Levels 0 through 9 are used to assign what an employee can and can’t do. If a zero is assigned to an employee, that employee only has access to the order screen (Order Entry) in SP-1.
Levels 1 – 8 can be assigned to employees that may need access to any of the other areas of SP-1.

Our general suggestion is to assign employees as follows:
Owner – 9
Manager -5
Shift Supervisor – 3
Employee – 0
It is VERY important that only the owner has a 9 on their account.

This leaves you with some levels for growth and for multiple stores.

Once you have assigned the security level, you would place that code in the system security section on each of the items you want to control. Remember that if you enter a number, then anyone with that level or higher could access that item. So a 3 can do anything a 0-2 can and so on.

Contact us at:
SelbySoft
Mike Spence
800-454-4434
Sales@SelbySoft.com
WWW.SelbySoft.com
8326 Woodland Ave. E
Puyallup Wa 98371

Posted in Employees, Uncategorized Tagged with: ,