What Retail IT Needs
to Do About This"> Forget about whether to believe the memo. Are retail IT execs forced to interpret the memo or the media reports referencing the memo? Visa refuses to release the memo, nor will it describe or elaborate on its content. Most pointedly, they have refused to even offer advice to retail IT managers who are begging for some clarification. Based on the vague Visa data, what is a user supposed to think? Now lets add the equally vague Fujitsu denials, saying that something in the secret advisory is "somewhat misleading" and "not fully correct." Fujitsu also will not be more explicit.I posed this conundrum late on Wednesday to Mark Rasch, who is one of the smartest security people I know, despite the fact that hes an attorney. Although Raschs day job is serving as a senior VP for security vendor Solutionary, I first met him back in 1989 when he was a prosecutor for the U.S. Justice Department and I was covering his prosecution of Robert Tappen Morris, who is credited with having created the first wide-scale worm to disrupt the Internet. I mention this to illustrate how little IT has changed in the roughly 17 years since that happened. Morris argued that he unleashed the worm to make systems administrators more aware of the security holes within Unix, so that they could be plugged. That same thought processthat sometimes security holes must be made very public or no one will bother to fix themstill has some legitimacy today. "The worst thing you can possibly do is to send out half an advisory," Rasch said. "Theres a whole user community out there, and they need to be kept aware of what they need to do to remain secure." Ziff Davis Media eSeminars invite: Join Symantec on March 31 at 12:30 p.m. ET for an in-depth look at the compliance landscape for e-mail, IM and electronic files. Ultimately, one of the most likely scenarios is that user apathyin great part bred by these hard-to-act-on advisory rumorswill cause the "Boy Who Cried Wolf" problem. Thats where people stop acting on the memos at all. Rasch points out that the Boy Who Cried Wolf scenario is already starting to play out. "A large number of retailers already ignore the valid memos," he said. Thats because they typically "dont have the resources or the expertise to even do anything for the real and detailed advisories," unlike "the vague advisories" in this case. Will Visas alerts ultimately cause retailers to ignore even more security alerts, in the same way that the American public quickly stopped paying attention to the Homeland Security color-coded threat level advisories? By the way, were still at a yellow elevated risk of terrorist attack. Anyone who thinks that the government will ever reduce it to guarded blue orheaven forbidlow green needs to either read more or promise not to vote for awhile. To be effective, security alerts need to be taken seriously. For that to happen, they need to be explicit and accurate, and they also need to include specific instructions telling IT want its supposed to do about this. In the meantime, maybe Visa can start announcing that its gone to Code Blue PCI Security Level. Heck, its not like the government will be needing to use that color any time soon. Evan Schuman is retail editor for Ziff Davis Internets Enterprise Edit group. He has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop anytime soon. He can be reached at Evan_Schuman@ziffdavis.com. Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.
Is a retail IT exec supposed to find Fujitsus protests credible? Maybe. Maybe not. There is far too little information from either side to make any kind of reasonable judgment.