Visa Putting Retail IT Execs Everywhere but Where They Want to Be

Written by Evan Schuman
March 30th, 2006

Visa recently sent a confidential memo to selected business partners advising them of a potentially major security threat involving Fujitsu POS software.

We all know this because the memo was leaked to the Wall Street Journal, which prompted tons of media?including eWEEK, of course?to cover the story. The culprit seemed to be a tracer testing utility that Fujitsu provided to some customers, which apparently at least one customer continued to use in a live environment, which is a major security no-no.

That part’s old news. But what has gone on in the days since the memo leaked is sadly reminiscent of the old public security conundrum: the need to alert customers to a major security problem in as public and fast a way as possible, knowing that satanic evildoers?which could accurately describe criminal hackers intending to steal credit card information or my in-laws, but that’s another column?will immediately try to take advantage of the security hole.

Most of the smarter bad guys know that they have an XX-hour (and often an XX-day) window after a major security hole is announced before most systems administrators will install the patch or make appropriate adjustments.

That forces companies like Visa?and, for that matter, almost every major software vendor?to play their game of risk/reward ratios: Will announcing this hole likely cause more harm or good?

As a compromise, many vendors have experimented with an in-between approach, whereby they reveal the information to a select group of partners/customers, the ones that will impact the most people and the ones that presumably have a good track record of keeping such information secret.

That seems to be what Visa has been trying to do. The problem: What to do when the secret memo becomes decidedly no longer secret. Should Visa throw up its mag-stripe hands and say, “Oh well. This stuff happens. We’ll now announce it to the world” or should it stick to its original script, hoping that no one notices what hundreds of newspapers, magazines and countless Web sites are reporting?

Visa has apparently opted for that latter scenario.

But wait, this gets better. In this memo, Visa talks about security problems and then mentions two specific Fujitsu products: RAFT and GlobalStore, according to the Journal’s March 17 story. (eWEEK has spoken with people on both the Visa and Fujitsu side, but has not reviewed the still humorously secret document.)

Fujitsu then steps to the podium and tells every reporter it can find that the memo was flawed, sort of. Ed Soladay, the COO for Fujitsu Transaction Solutions, said the Visa alert was “somewhat misleading” and “not fully correct.”

In recent days, Fujitsu people have been more explicit in saying that the memo was “wrong,” but that’s not very meaningful unless they will say what specifically is wrong, which they won’t.

Both Fujitsu and Visa people have said the two sides have been talking for weeks, and a Fujitsu person said Wednesday afternoon that nothing had been resolved. Fujitsu is hoping that Visa will issue a clarification statement.

It’s almost impossible to comment on that without resorting to sarcasm, but let’s just say that I expect to see that statement moments after the U.S. Senate bans all lobbyist campaign contributions.

Where does this all leave retail IT execs, whose business depends on the security of their POS applications? Visa has definitely forced them to be where they do not want to be.

Do they believe the relatively vague Visa advisory? Remember that the vast majority of them have never, ever seen the advisory, so they are forced to deal with vague partial reports of memos, which were apparently not overly specific in the first place.

Forget about whether to believe the memo. Are retail IT execs forced to interpret the memo or the media reports referencing the memo?

Visa refuses to release the memo, nor will it describe or elaborate on its content. Most pointedly, they have refused to even offer advice to retail IT managers who are begging for some clarification. Based on the vague Visa data, what is a user supposed to think?

Now let’s add the equally vague Fujitsu denials, saying that something in the secret advisory is “somewhat misleading” and “not fully correct.” Fujitsu also will not be more explicit.

Is a retail IT exec supposed to find Fujitsu’s protests credible? Maybe. Maybe not. There is far too little information from either side to make any kind of reasonable judgment.

I posed this conundrum late on Wednesday to Mark Rasch, who is one of the smartest security people I know, despite the fact that he’s an attorney.

Although Rasch’s day job is serving as a senior VP for security vendor Solutionary, I first met him back in 1989 when he was a prosecutor for the U.S. Justice Department and I was covering his prosecution of Robert Tappen Morris, who is credited with having created the first wide-scale worm to disrupt the Internet.

I mention this to illustrate how little IT has changed in the roughly 17 years since that happened. Morris argued that he unleashed the worm to make systems administrators more aware of the security holes within Unix, so that they could be plugged.

That same thought process?that sometimes security holes must be made very public or no one will bother to fix them?still has some legitimacy today.

“The worst thing you can possibly do is to send out half an advisory,” Rasch said. “There’s a whole user community out there, and they need to be kept aware of what they need to do to remain secure.”

Ultimately, one of the most likely scenarios is that user apathy?in great part bred by these hard-to-act-on advisory rumors?will cause the “Boy Who Cried Wolf” problem. That’s where people stop acting on the memos at all.

Rasch points out that the Boy Who Cried Wolf scenario is already starting to play out. “A large number of retailers already ignore the valid memos,” he said. That’s because they typically “don’t have the resources or the expertise to even do anything for the real and detailed advisories,” unlike “the vague advisories” in this case.

Will Visa’s alerts ultimately cause retailers to ignore even more security alerts, in the same way that the American public quickly stopped paying attention to the Homeland Security color-coded threat level advisories?

By the way, we’re still at a yellow elevated risk of terrorist attack. Anyone who thinks that the government will ever reduce it to guarded blue or?heaven forbid?low green needs to either read more or promise not to vote for awhile.

To be effective, security alerts need to be taken seriously. For that to happen, they need to be explicit and accurate, and they also need to include specific instructions telling IT want it’s supposed to do about this.

In the meantime, maybe Visa can start announcing that it’s gone to Code Blue PCI Security Level. Heck, it’s not like the government will be needing to use that color any time soon.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.