October 2009

	If your Internet provider filters incoming e-mail, please add ncxgroup.com to your list of approved senders to make sure you receive NCX Group Security Updates.
	MISUNDERSTANDING THE ROLE OF A QSA Senior management, including CEOs, should know by now that passing PCI DSS compliance does not mean your data is secure. It certainly has been made obvious with the notorious breaches of Heartland Payment Systems, Forever21, Best Western, Hannaford, and Network Solutions. All were said to be compliant by a QSA, but at what point? The roll of a QSA is to verify and validate compliance within the 12 core areas of the PCI standard. One must realize, though, that the assessment is based on a point in time. So if the QSA gives you a pass, it is based on the acknowledgement that technical controls within the cardholder data environment were being met at the time of audit. Many executives misunderstand the limitations of a PCI audit and believe a QSA will identify all their exposures, and be responsible for their security and any breaches that might occur. This simply is not the case. It is not a QSA’s role to provide a detailed security or risk assessment of your entire business network along with a remediation list of vulnerabilities and risks. That type of security due diligence falls to the company responsible for meeting compliance and securing its transactional data. Again, if you store, transmit, and process cardholder data, it is your responsibility to ensure the data is protected, not the QSA. A complete security program should be managed in-house or by a third party security consultant, such as NCX. The point is that true compliance will follow good security practices and go far beyond a checkmark. Because PCI DSS is considered the basic or lowest common denominator of achieving security, it is wildly naive to think it is an end-all to safe data. In fact, it is only the beginning. Your QSA can certainly provide advice and guidance if they see a discrepancy while performing your audit, but they have no control over your ongoing security program and cannot ensure your business systems will not change. Security is an ongoing process and every aspect of risk should be assessed to ensure all risk areas are identified and remediated.

ISSUE: October 2009


		Subscribe to Security Update

	2009 Reported Data Breaches Keep yourself updated on the latest security breach disclosures


	NCX Vision See What You’ve Been Missing Learn more here >>



	Looking forManaged Security Services? Call us at 888-448-5451 or contact us below

	Follow NCX on Twitter at www.twitter.com/ncxgroup

	To have an NCX Group Representative Contact You Email us here

You may be satisfied with achieving the bear minimum just to pass PCI compliance, but stopping there is putting your business and customer information in danger of being breached. We’ve seen it happen time and time again.

NCX Group provides the security assessment services and methods to not only help you prepare for a PCI audit by a qualified QSA, but increase your overall security posture as well. Whether we conduct a full security review or tailor our services specific to your needs, you will have a complete assessment to build the security program right for your business. We have helped many companies prepare for compliance and even more importantly, secure their critical data.

For a free consultation on how our experts can help you secure your data at a price that will fit your budget, `call us at 888-448-5451 or request a representative to call you.

NCX Group, Inc. is a leading information risk management firm specializing in the assessment and mitigation of risk associated with today’s technologies and business processes.

NCX Group, Inc.
5000 Birch Street, West Tower, Suite 3000
Newport Beach, CA 92660
888-448-5451
www.ncxgroup.com