Dara Security

Archived News from 2018

HIPAA Expertise with CHPSE Certification

We are proud to announce our increased focus on the Health Insurance Portability and Accountability Act (HIPAA), the federal law that protects patient health information.  By providing in-depth HIPAA training and subsequent Certified HIPAA Privacy Security Expert (CHPSE) certification to our key staff who play a key role in HIPAA compliance, we are well-equipped to address the intricacies and ever-changing HIPAA requirements for our clients.

The CHPSE is the gold standard for HIPAA credentials and is the highest-level certification for core HIPAA compliance team members. ...

Read More

The Associate Qualified Security Assessor Program

In 2018, the PCI SCC introduced the new Associate Qualified Security Assessor (QSA) Program in order to attract new information security talent to the QSA Program, help meet the demand for QSAs, and ensure the sustainability of the QSA Program.  With the shortage of information security talent, QSA companies have found it challenging to find new assessors.  QSAs have been costly to hire and retain, which has increased the assessment costs for merchants and service providers relying on QSA services.  The Associate QSA Program would bring new information security talent into...

Read More

Dara Managed ASV Scans

window.onload=document.location.href = '/content/ASV_Infographic.pdf'; View this PDF

Read More

You’ve Achieved Compliance – Now What?

Achieving compliance with PCI’s standards requires organizations to dedicate significant resources to this effort.  Whether compliance is with PCI DSS, PA-DSS, or the P2PE standard, many entities would probably agree that the ritual of compliance can be a costly one.  Unfortunately, more resources must be spent to confirm compliance if there are any changes to the organization, software, or solution, or if there are modifications within the PCI requirements.

Many organizations achieve compliance and then reach out to their QSA to confirm compliance is maintained...

Read More

The General Data Protection Regulation

Promoted as the most important change in data privacy regulation in decades, the EU General Data Protection Regulation (GDPR) will be enforced on May 25, 2018.  Organizations that are not GDPR compliant after this enforcement date could face significant fines.

Replacing an obsolete data protection directive from 1995, GDPR is designed to allow individuals to better control how their personal information is collected and processed.  Organizations collecting or receiving data on citizens in any of the 28 member states of the European Union (EU) or UK are required to have...

Read More

Migrated from SSL and Early TLS Yet?

In 2015, the PCI Council recognized the need to move away from earlier forms of the Internet security protocol Secure Sockets Layer / Early Transport Layer Security (SSL/TLS).  This cryptographic protocol is used to establish a secure channel between two systems by authenticating one or both systems and protecting the information passing between the systems.

PCI has acknowledged that SSL/TLS is an unsafe method for protecting sensitive data online.  In fact, the widespread use of SSL/TLS has motivated attackers to find flaws, giving rise to serious vulnerabilities such as...

Read More

Penetration Test vs. Vulnerability Scan

window.onload=document.location.href = '/content/pentesting_3_Rev_1.pdf'; View this PDF

Read More

The PCI 3DS Core Security Standard

EMV® Three-Domain Secure (3-D Secure, or 3DS) is a messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorized CNP transactions and protects the merchant from exposure to CNP fraud. The three domains consist of the merchant/acquirer domain, issuer domain, and the interoperability domain (for example, Payment Systems).

3DS Assessors are able to assess a service provider providing 3DS services against the PCI 3DS Core Security...

Read More

P2PE: A Valuable Tool for Merchants

Through Point-to-Point Encryption (P2PE), data is encrypted upon entry by a certified card terminal and continues to be encrypted until the data reaches a secure point of decryption outside of the merchant environment.  This secure point of decryption is a validated PCI P2PE solution provider.  Benefits of P2PE include making sensitive and protected data unreadable by unauthorized parties.  This data is devalued because it is unusable in its encrypted form.  Another benefit is that P2PE significantly simplifies PCI compliance.  The P2PE Self-Assessment...

Read More

Penetration Testing Types

window.onload=document.location.href = '/content/Infographic_Pentesting_2.pdf'; View this PDF

Read More

IoT Devices: Convenience with a Risk

The Internet of Things has developed into a thriving industry estimated at $14 billion and poised for further growth.  Smart thermostats, voice-activated personal assistants, and other IoT devices are no longer novelty items found in homes of tech-savvy early adopters.  In fact, the IoT has gained more mainstream usage as people are enticed by the convenience these devices bring, and manufacturers continue to cast a wider net for consumers by making these devices more affordable. 

IoT usage has spread outside the home and is also growing in public arenas. ...

Read More