June 26, 2011
Within the past month, I noticed a couple of articles about businesses voluntarily choosing to call it quits that are worth highlighting. Businesses go bust all the time and in many cases either quietly wind down and dissolve because they weren’t profitable or get run through the wringer of bankruptcy process to sort through who will salvage the parts worth saving. The situations with Bling Nation and Google Health are interesting and contrasting variations on the usual tale because these undertakings didn’t truly flame out.
Google’s decision with its Google Health is the more traditional of these two stories. As reported yesterday in the NY Times, the effort to gain traction with consumers adopting electronic health records was fraught with challenges. This was best summed up by an analyst at IDC Health Insights by her observation that “Personal health records have been a technology in search of a market.” So, sometimes the lesson that even major enterprises learn is that even with a boatload of financial, technology and people resources to throw at a business venture success is not assured and sometimes the best thing to do is just accept this and move on.
Bling Nation’s decision is more interesting because it’s less typical. The company is (was?) an early stage mobile payments services provider that had raised a significant amount of capital (over $33 million) to execute its business plan and had gained a significant following among both target consumers and community banks. Blig Nation was among the first to deploy near field communications (NFC) in connection with mobile payments. The American Banker on June 8 ran an in-depth story about the company and its Achilles heel, which seems to have been tying use of their widely praised payments solution with a mobile marketing solution called FanConnect, as to which both banks and consumers balked because it was seen as an unwelcome obstacle to the desired mobile payments solution the banks had already been using with success. Result: banks started dropping the service causing an abrupt comeuppance of sorts for Bling Nation.
So, in a gutsy move that may have been dictated as much by realism and necessity as anything, Bling Nation chose to press the reset button by temporarily suspending its service and regroup. Matthew Murphy, the company’s General Manager noted, “We found it easier to pause and fix [our business model] than try to tweak and market.” While there are frequently second chances in business and, to its advantage, Bling Nation has substantial capital in reserve for a “relaunch” if that’s what it decides to do, it will be interesting to see whether its lost footing can be regained.
Both Google and Bling Nation are also notable examples of the adage that innovation often requires not being averse to the risk of failure and the key is to learn from the missteps and then go in a different direction (as with Google Health) or recalibrate (as with Bling Nation).
June 22, 2011
As the business and consumer worlds migrate their activities to the cloud, it’s logical that participants in the payment cards ecosystem are also part of that inexorable movement toward all things cloud. Relevant legal rules and industry best practices standards are still catching up to this shift. In keeping with this, after ruminating on related considerations for some time, the PCI Security Standards Council last week issued a supplement to its PCI Data Security Standard focused on the peculiar risks associated with virtualized computing environments and resources, including cloud computing. Not surprisingly, the general rule of thumb is that if a security feature is required in a non-virtual computing environment that feature is also required in the virtual environment. However, the PCI document, entitled Information Supplement: PCI DSS Virtualization Guidelines, recognizes that assessing and addressing the security risks posed by virtualization technologies presents more daunting challenges than is the case with non-virtual resources.
While there is good discussion within the Guidelines about many technologies, I found the cloud computing discussion most interesting. The Guidelines recognize that each cloud service needs to be evaluated for its specific security and processing attributes in relation to PCI DSS compliance. However, because of the generally comprehensive functions performed by many SaaS cloud providers as opposed to user organizations, the Guidelines make clear that greater PCI compliance burdens will likely be the responsibility of the cloud service provider and, as a result, the Guidelines outline a variety of matters for which a cloud services user should seek assurance from the provider.
Link to Supplement
June 21, 2011
Up to yesterday, only 22 generic top-level domains (gLTDs) or suffixes for websites — such as .com, .org and .edu — had been authorized by the Internet Association for Assigned Names and Numbers (ICANN). Following approval at its most recent Board meeting on Monday, ICANN announced the ability of organizations and individuals to apply, starting in January 2012, for custom top-level domains, which may be any word that meets the approval of ICANN after submission of an application.
According to ICANN’s gTLD Applicant Guidebook (30 May 2011) applications to allow for such creativity won’t be cheap — the application fee is a whopping $185,000! While the fee amount sounds prohibitive it may have the welcome effect of discouraging undesirable cyber-squatting on domains, perhaps leaving the use of such creative gTLDs to organizations with a solid business case to support the cost.
June 21, 2011
As noted in an earlier post on TechRazor, in the online realm website and app terms and conditions merit barely a yawn from most users. Interesting then that a recent business deal announced last month between Twitpic and World Entertainment News (WEN) garnered so much pushback from the Twittersphere. Under the deal, WEN was designated as Twitpic’s exclusive photo agency partner.
The catch for users of Twitpic, an immensely popular application used to attach pictures to Twitter posts, is that the fine print of the user terms grants broad rights to Twitpic to pretty much do whatever Twitpic desires with uploaded images, including to profit off of them. Specifically:
“By uploading content to Twitpic you give Twitpic permission to use or distribute your content on Twitpic.com or affiliated sites. . . . [B]y submitting Content to Twitpic, you hereby grant Twitpic a worldwide, non-exclusive, royalty-free, sublicenseable and transferable license to use, reproduce, distribute, prepare derivative works of, display, and perform the Content in connection with the Service and Twitpic’s (and its successors’ and affiliates’) business, including without limitation for promoting and redistributing part or all of the Service (and derivative works thereof) in any media formats and through any media channels.”
Twitter users, especially professional photographers, rebelled and WEN’s CEO did not really help the situation by later stating that WEN was only interested in photos posted by celebrity users. So, sometimes the fine print contains traps for the unwary that can snag many.
For more on this tempest, see Joshua Brustein’s recent piece about this in the NY Times and a follow up piece a week or so later by Paul Boutin.
June 9, 2011
Starting June 15, 2011, audits of the internal controls of a service provider for several key service areas will be based on a new audit standard, SSAE 16, promulgated by the American Institute of Certified Public Accountants (AICPA) rather than the currently prevailing SAS 70 standard, which was originally introduced in 1992. Along with this new standard are new associated report standards — Service Organization Control (SOC) Reports, of which there are three: SOC1, SOC 2 and SOC3.
The increased attention in recent years given to an organization’s internal controls has somewhat naturally extended to the internal controls of service providers and support partners. This is based partly on the simple notion that any given control environment is only as strong as its weakest link, so validation of controls implemented by significant service providers makes sense. It’s long been customary where service provider controls are sought to be confirmed that a SAS 70 report would be requested from the service provider. SAS 70 is principally a standard that allows an auditor to confirm that its clients’ service providers have adequate controls in place to the extent those controls have an impact on client financial statements. While SAS 70 is not truly focused on specific controls or whether controls can be said to have been effective over a stated period, in the absence of anything more tailored the SAS 70 report was made to do double duty as a rough proxy for service provider security controls. SSAE 16 and the new SOC reports were specifically intended to address this shortcoming. Read the rest of this entry »