18702 North Creek Pkwy. #208Loading
Volume 4, Issue 1 - January, 2009 - © 2009 by Moose Logic, All Rights Reserved
Cover Story: Business Planning, 2009
Exclusive Interview with Nat Hillary of WatchGuard on PCI/DSS Compliance
The Land of Lost Computers
Moose Logic Coming Events
(Moose Views is a monthly newsletter prepared by Moose Logic to bring you information and tips on maintaining a trouble-free network)
Business Planning, 2009
To say that the outlook for 2009 is uncertain is like saying that the ocean is wet. Everywhere you look, there are articles and stories about how bad things are…but are they really that bad? Media hype notwithstanding, is this really the worst economic crisis since the 1930s? Just how worried should we be, and what should we be doing about it, particularly as it relates to business planning?One of the reasons these questions are difficult to answer is that many economists are no longer sure that the economic models they’ve been using for the past several decades still accurately reflect how the U.S. and global economies work.
This was discussed by economist James McCusker in an excellent column that recently ran in the Everett Herald. (You can read the entire column at http://tinyurl.com/8ff5n6.) He contends that part of the problem is that “Our confidence in our understanding of how the economy works…has been shaken.” He goes on to say that “All of our efforts at the federal level…are based on assumptions about how banks, companies, and individuals behave. If we’ve got that wrong, then the economic models are wrong. The policy actions will have an effect anyway – but probably not what we expected.”
McCusker cites several examples of data that “doesn’t fit” traditional expectations:
- Despite the tough times, credit card delinquencies are actually lower now than they were in 2005. Was the economy worse then (probably not), or is consumer behavior different?
- Consumer spending “shows signs of behavior shifts rather than across-the-board declines.” Wal-Mart has had a great year while Saks Fifth Avenue saw same-store sales drop by 20%. Amazon.com had its best Christmas Holiday sales ever.
- New manufacturing orders showed a 4.6% drop in November…but nearly half of that drop was because the declining price of gasoline and other petroleum products, which is actually good for consumers. Unfortunately, that data didn’t make it into the headlines.
As recently as October, a Pew Research poll showed that, across the political spectrum, an overwhelming majority (over 75%) of Americans said they were either “very happy” or “pretty happy” with their own lives. At the same time, a Gallup poll showed that 78% of Americans were negative about the state of the economy in general, and an astounding 35% said that an economic depression in the next two years is “very likely.”
So your humble correspondent thought that some hard numbers might be useful in bringing some perspective to the table. Here’s what the Great Depression really looked like: In 1930, the nation’s GDP fell by 8.6%. In 1931, it fell by another 6.4%, and in 1932 by a full 13%. That’s a cumulative drop of over 25% in just three years. The national unemployment rate topped out at 25%, and wages for those still employed fell by 42%. By contrast, despite a small drop of one half of one percent in Q3, overall we’ve seen GDP grow by about 3 ½% through the first three quarters of 2008. (Q4 numbers won’t be available until the end of January.) And you have to go all the way back to 1990 – 1991 to find the last time we had two consecutive quarters of decline in GDP. So far, not even close to Depression-era performance.
The national unemployment rate hit 7.2% in December, 2008, although the Puget Sound area is, at the moment, enjoying a lower unemployment rate than the national average. Of course, the unemployment rate has never been, and will never be, zero. Over the last 50 years, the unemployment rate has seldom been below 4%, and has spent most of that time between 4% and 6%. So while the current rate isn’t anything to cheer about, it isn’t anywhere close to Depression levels, either.
(NOTE: We realize that behind those unemployment statistics are real people, and that knowing things aren’t that bad by historical standards doesn’t diminish the real pain that they are feeling. Nevertheless, we believe that placing things in their proper historical perspective is important for business planning.)
Of course, we don’t have the luxury of waiting for the economists to figure out how to fold all of this into their economic models – we have to figure out how to run our businesses now. So what conclusions should be drawn from all this?
First of all, remember that there is such a thing as a business cycle. There have always been ups and downs, and there will always be ups and downs, regardless of government policies and regardless of which party is in power.
Second, don’t lose your perspective. What we’re seeing now is not even remotely close to depression-level bad. In fact, if you look at the numbers over the last 30 years or so, you’ll see that, overall, government policies have been pretty successful at reducing both the length and severity of the economic “down” cycles.
Third, focus on bringing value to your customers. Unless what you provide is truly a commodity, better value will nearly always win out over lowest price.
Finally, be smart about your expenditures. It’s impossible to be in business and not spend anything. But your expenditures should be focused on things that will make your business better.
This is exactly what we’re doing in our own business: We’re working to streamline and automate our ticketing process so it will be easier to open and track trouble tickets, and our technical staff can handle them more efficiently, thus doing a better job for our clients.
We’re leveraging application virtualization with Citrix XenApp to make it easier and faster to deploy and update applications, and server virtualization with Citrix XenServer to reduce the number of physical servers in our infrastructure while giving us more protection against a server failure.
We’re using thin-client terminals where it makes sense – for people who really don’t need the power or flexibility of a PC on the desktop. And we’ve consolidated storage onto a pair of mirrored SAN nodes that give us both higher performance and greater data protection.
Our focus at Moose Logic for 2009 is going to remain on products and technologies that can help businesses run more efficiently, boost productivity, and reduce operating costs – because those are technologies that can bring value to you, and we know that focusing on what’s best for your business is ultimately best for ours as well.
In the coming months, we’ll be talking more in these pages about those products and technologies and about how they can help your business. We hope you will find the information valuable.
Interview: Nat Hillary of WatchGuard on PCI/DSS Compliance
Moose Views (MV): Hello and welcome, this is Shane Kalles with Moose Logic, with another edition of Moose Views Interviews. Today I am sitting down with Nat Hillary of Watchguard Technologies. Hello.Nat Hillary (NH): Hello everybody.
MV: Well, the big topic that we are going to be talking about today is PCI/DSS. Nat could you help us out? What exactly is PCI and DSS?
NH: Well, PCI stands for the Payment Card Industry; and the Payment Card Industry are all of the credit card companies: Visa, Master Card, American Express, Discover, and JCB. The DSS is the Data Security Standard, which is a standard that they (PCI) all came together and agreed as being the basis for them certifying their card holders, the people who actually run charges on the cards.
MV: So they’ve gotten together and they have come up with this Data Security Standard. Who does that affect?
NH: It affects two categories of people. It affects merchants, and merchants are anybody who does any credit card transactions, be that one transaction a year or millions of transactions a year, but it also affects what are referred to as service providers, and service providers are the people who actually process the credit card data. So they act as the middle man in between the merchants and the actual credit card companies themselves. Most of the service providers have already been through the PCI/DCC process, otherwise they couldn’t remain being service providers. So for the most part those people that are most affected by PCI/DSS at the moment are the merchants.
MV: So If I was a merchant and I’m accepting credit cards as a form of payment, what sort of standards have they put forward that I need to comply to? Is it, let me go out and buy something and make it compliant or do I need to come up to code and then sort of a set it and forget it mentality? What exactly are they looking for from me as a merchant?
NH: Very, very good question. So this is where PCI/DSS actually gets very, very subtle, because the data that they are trying to protect is the card holder data: the primary account numbers, the PINs, the card verification numbers all of the information contained on a credit card that make it uniquely identifiable to a specific account. The subtlety is whether you’re running paper transactions, you know via the old machines, the chunk-chunk machines [making a back and forth motion with his hands], or whether you’re doing electronic transactions, you’re still subject to PCI/DSS. So PCI/DSS describes the measures that have to be in place both from a technology perspective but also from a policies and a procedures perspective to ensure the safety for that card holder information. So that means starting at the most basic, say you have a mom and pop shop who only does five credit card transactions a year and they do them all on that old slidey machine.
MV: Do they still make those?
NH: They do. They are little bit more subtle now. They are little plastic thingies, but in fact I have seen some people run the credit card transaction just by holding the card against the slip and running a pen across it.
MV: Oh yeah, running a pen over the top. Alright, so they are doing five transactions, just the carbon copy kind of cover.
NH: Exactly. PCI/DSS defines what has to happen with that information, who has access to it, and what needs to happen to it from a procedural perspective to make sure that that information doesn’t fall into the wrong hands. But it also defines who has the rights within a specific organization to run the credit card transactions in the first place. The idea is, making sure that an individual company, be it a big shop like say Amazon.com or Expedia, has the policies and procedures in place to make sure that the card holder data is handled responsibly and safely. The idea is that any company handling card data should have an audit trail to be able to demonstrate that they have been handling the cardholder data responsibly, both in terms of the transaction but also their policies and procedures.
MV: Getting ready for this interview, just kind of looking at PCI/DSS compliance regulation, I was noticing as it breaks down on the PCI website it has a lot of legal jargon and then of course as you start to sort through, there are a lot of people trying to provide you with an easy solution, take the confusion out. Is PCI compliance a really confusing and difficult thing for a business owner to do?
NH: Good question. Certain amount of it I can’t answer because I haven’t been a business owner who has been through the PCI/DSS, but what I can say is from the electronic side of things...so from the computer based transactions, computer based credit card transactions, that can be whether you’re using a point of sale system such as you might find in a Starbucks or even in a hotel. Say in a hotel bar they have a point of sale system that is a credit card transaction. So that is subject to PCI/DSS. Or you go into a restaurant when they have a PC running their point of sale application. The policies and procedures regarding that are fairly straightforward if you already have a culture of security in place.
And what do I mean by culture of security? Imagine for instance you’re a restaurant and you have a point of sale application and the point of sale application will store credit card information until the end of the day, when everything is trued up and then everything is cleared to make space for the next day. Suppose you have a consultant working in the restaurant at anytime, and that consultant just happens to put a USB card in the back of the PC used for the point of sale application, and they end up with that day’s credit card transactions on that USB card. Of course that’s a no-no, that’s a big no-no. The basic policy there from the culture of security is making sure first of all that the PC itself cannot be...you don’t have access to it. In order to gain access to the PC you have to have a key and only authorized people have access to that key. Similarly the person responsible for maintaining that PC, the person for making sure that the anti-virus software on it is up to date, all the software is up to date, correct security patches all of those types of things are the responsibility of a very specific person, then that is a culture of security. If you have that let anybody do anything at anytime type approach, which a lot of small business do, then it will be more difficult because you have to put those policies and procedures in place, and then you’re not facing a technology shift you’re facing a cultural shift within the organization.
(To listen to the full interview, please go to our Interview and Webinar Archive page.)
The Land of Lost Computers
Did you know that every week, airline travelers lose 12,000 laptops at American airports? How can so many people walk off without their computers? Well, according to a recent study, many report feeling rushed, being distracted by flight delays, or having too many carry-on items.In fact, about 40 percent of these lost laptops are left in the security checkpoints. Travelers go through security and forget to collect all of their belongings when they walk off toward their flight. Remarkably, only 33 percent of travelers ever reclaim their computers.
How do you prevent the loss of your laptop? You should first ensure that you give yourself enough time to get to your flight on time, with plenty of time to navigate check-in lines and security. Once through security, stop and take a moment to check whether you have all your belongings. An easy way to do this is to count your items as you place them on the belt, and then count again as you collect them. Also, be sure to label your computer so that if you do leave it behind, you can be contacted.
