Russ Pearlman's Blog

On April 28, the US Supreme Court ruled 5-4 that the FCC can fine broadcasters even in the case of fleeting expletives. As you may remember, there were a number of high profile cases during entertainment award shows where U2′s Bono, Cher and Nicole Richie had used the “f word” during their acceptance speeches.

At issue in front of the Supreme Court was actually a fairly narrow question: since the FCC had for years ignored such minor slips, was it now reasonable for them to change their policy and start to impose fines now? By making their ruling, the court essentially says ‘Yes’ and remanded their decision back to the appeals court for further deliberation.

Now, you might ask yourself a few questions: 1) are fleeting expletives really so bad? 2) how can networks control such things – after all, in the cases sited above, these are not scripted comments and 3) since so much worse is already on cable, the Internet and late-night TV – aren’t we being prudish in these cases?

Well, let me take them one at a time then:

1) The cases where fleeting expletives were raised were during major, prime-time awards shows. These are the types of shows that often family members enjoy together. A single foul word is not going to corrupt a child, but as we saw following Bono’s initial ‘reaction’ that other celebrities were quick to create their own publicity by following suit. By being lax the first time, the FCC has essentially ‘invited’ more occurrences – and the change towards a zero-tolerance policy essentially snuffs it out completely. (After all, we are just talking about a fine – it’s not like we are going to shut down these major broadcasters.)

2) Modern broadcast television often utilizes delays of 5-7 seconds for live events. Simply ‘bleeping’ or even wholesale cutting of broadcast is quite easy to accomplish. Any argument of hardship is simply a red herring.

3) As I pointed out in point #1 above, the comments from Bono, Cher and Nicole Richie all occurred during shows that are likely to have large family audiences. This is not a show like 24, Lost or Southland where a parent has a reasonable expectation of violence, sexuality or explicit language. So, the challenge with these situations is that parental control can not be reasonably set. It’s like going to a ‘G’ rated movie but knowing that ‘R’ rated language could slip in at any time. If this were the case, then no parent could reasonably allow their child to watch ANY broadcast while safely assuming that their child will not be exposed to explicit language. I know that’s stretching the situation, but it’s logically true.

While the Supreme Court ruling answered a narrow question, there are still some larger points to be settled. So, this is by no means over. But, I do hope that the FCC fines stand and the major broadcasters take heed – if parents are to be enabled to help set limits for their children, they need the support of the media industry to help establish reasonable expectations of content.

Up next – Janet Jackson’s ‘wardrobe malfunction’…

“In his 2002 autobiography, the Bali nightclub bomber specifically referred to online credit card fraud and carding as a means to fund terrorist activities, and encouraged his followers to use this method to obtain financing,” said Chairwoman Yvette Clarke (D-NY) during a March 31, 2009 Homeland Security Hearing “Do the Payment Card Industry Data Standards Reduce Cybercrime?”

For those of you not up on your Payment Card Industry (PCI) security standards, it’s a set of requirements that merchants who accept credit cards must meet in order to continue accepting credit cards. Generally, these include IT best practices (such as keeping software current and loaded with anti-virus), protecting sensitive data (such as encrypting credit card #’s) and keeping all facilities physically protected. The requirements are segmented into 12 overall areas with over 200 sub-requirements. Over the years, these requirements have been generally lauded.

The Homeland Security hearing was an open discussion on the effectiveness of these standards. Having had a hand in helping to PCI certify a number of clients (and act as primary architect for them), I understand how basic these really are – and I understand how easily they could be thwarted. There is a strong recommendation by the panel to supplement these requirements with an equally strong push back from retailers to not further burden them. (For example, the CIO of Michael’s talked about requirements that all employess sign an attestment to their understanding of the security requirements. This doesn’t make sense for seasonal or transitory retail workforces.)

I’m a strong advocate for more intrusion detection at the system level. But, I suspect fraud mostly occurs at the human level – like most major security breaches. As we continue to fight the overseas contingency action (formerly known as the Global War on Terror), we need to not only protect the economic viability of individuals but the overall safety of our country. So, what can we do to help enforce security?

I think the best solution is to mandate that all payment processors and banks return authorization tokens whenever a credit card is accepted at the point of sale (either on-line or in-store). The retailers should NEVER have to keep credit card information on file (either encrypted or otherwise). In the case of chargebacks (i.e., returns or customers refusing to pay the transaction), the retailer should only have to supply the authorization token to prove that the transaction took place. In 2006, we took this approach with a major on-line retailer using the token service provided by CyberSource. It was more expensive, but it made PCI certification a snap.

The big advantage to this approach is that the retailers don’t have the burden of all the PCI requirements. I’m sure that many of them fail to detect intrusions and/or keep a sufficiently secure environment (including employee hands-off!). Only the payment processors or banks would need to keep the secure environments, and, in the case of breach, only one company would need to understand the scope of the intrusion to alleviate the economic exposure.