At the end of January, I spoke at the Esomar Shopper Insights Conference and part of my speech was about how technology makes the market insights professional role more challenging in some ways. For example, technology has made the world flat: The Internet makes it possible for information to travel fast, and it feels like we know everything about anything (or at least we could).* But my point was that knowing doesn’t equal understanding.
And in the past weeks, with the world on fire, this thought has been nibbling at the back of my mind. It was there when I watched television and followed the latest developments in Egypt or Morocco. When I read the news or watched the videos and pictures from the earthquake in Japan, or more recently when Britain, France and the US decided to intervene in Libya. I can follow the news minute by minute via Facebook or Twitter (and I do), but I feel I lack the context and local background to really understand what’s going on — like most of us. How will the intervention in Libya change the relationships in that part of the world? How will the earthquake and the issues with the Fukushima Daiichi nuclear power plant affect the Japanese economy? The world is flat, but we are still limited by our own horizons.
The Attorney General of New York is investigating a large group of online retailers to see if they have been sharing your credit card data with third parties without your knowledge or permission. In a press release, the AG's Office details the scheme, including the fact that you may unknowingly be giving someone other than the retailer you are shopping with your credit card number:
"Information about joining the membership program and its ramifications, including the fact that the consumer is agreeing to transfer his or her credit or debit card account information, is buried in fine print and cluttered text."
My gut tells me that this violates the spirit, if not the letter, of the PCI Data Security Standard. According to the PCI DSS:
"Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third parties with access to cardholder data."
It is probably safe to assume that the business agreement around the data sharing identified by the New York AG's office did not include language surrounding PCI compliance.
An MSNBC story on the investigation puts it this way:
The first reports on the IT market in Q4 2009 are now in, and they are in line with our prediction that the tech market recession ended in that quarter (see US And Global IT Market Outlook: Q4 2009). Overall, the tech market in Q4 2009 was more or less flat with the same quarter the year before – an improvement from prior quarter when growth was negative, and evidence that the 2010 tech market will post positive growth.
The US economy was stronger than expected, by 5.7% real GDP is an aberration. The US Department of Commerce released preliminary data on Q4 2009 economic growth, and the results was a surprisingly strong 5.7% in real GDP, 6.4% in nominal GDP from the previous quarter (on a seasonally adjusted annualized basis). However, about two percentage points of that growth was due to inventory re-stocking, which will not be repeated in future quarters. And based on prior GDP reports, this growth rate will probably be revised down as new data comes in. (In Q3 2009, the growth rate in real GDP started at 3.5%, but ended up revised down to 2.2%.) Still, this report confirms that the US recession is over, and slower by steady growth is likely for the rest of 2010.
Several clients have recently been asking about "Virtual Network Segmentation" products that claim to segment networks to reduce PCI compliance. They may use ARP or VLANs to control access to various network segments. These type of controls work at Layer 2 and the hacker community is well versed at using tools such as Ettercap or Cain & Abel to bypass those controls. We've recently written about Network Segmentation for PCI as part of the PCI X-Ray series.
While rereading the PCI Wireless Guidance document, I came across this nugget that puts a nail in the coffin of using VLANs as a security control:"Relying on Virtual LAN (VLAN) based segmentation alone is not sufficient. For example, having the CDE on one VLAN and the WLAN on a separate VLAN does not adequately segment the WLAN and take it out of PCI DSS scope. VLANs were designed for managing large LANs efficiently. As such, a hacker can hop across VLANs using several known techniques if adequate access controls between VLANs are not in place. As a general rule, any protocol and traffic that is not necessary in the CDE, i.e., not used or needed for credit card transactions, should be blocked. This will result in reduced risk of attack and will create a CDE that has less traffic and is thus easier to monitor."
2009 was a miserable year for tech vendors, especially for sellers of capital equipment like PCs, servers, routers, and licensed software, and for systems integrators who helped implement that software. 2010 will be a much better year, especially for these very same vendors. We’re not talking boom yet, so we are not predicting double-digit growth rates across the tech market (though some categories will see those kinds of growth). But, as our latest tech market report shows (http://www.forrester.com/rb/Research/us_and_global_it_market_outlook_q4/q/id/53384/t/2), we do think there will be a solid tech recovery in 2010, with growth rates in the high single digits.
Given that other IT advisory firms are predicting that tech markets will see growth of 3% to 4% in 2010, why are we so (relatively) bullish with our predictions of 6.6% growth in the US tech market, and 8.2% growth in the global tech market (when measured in US dollars)? Three reasons: