Clarifying Key Blocks

Key Blocks is an important requirement within the PCI PIN Security Standard.  This requirement focuses on protecting the integrity of the encrypted key and is critical in cryptography.  The Key Blocks requirement helps to prevent cryptographic keys from being misused as well as protects cryptographic keys from unauthorized modifications or substitutions.

The Key Blocks security method should be implemented alongside other applicable industry standards and is applicable to those seeking to comply with the PCI PIN Standard.  All acquiring entities and those responsible...

Planning for PCI DSS 4.0

The development process has begun for PCI DSS 4.0, the latest revision of the PCI standard aimed at supporting businesses in their efforts to safeguard payment card data. 

PCI DSS 4.0 is planned for a late 2020 release and will be the result of industry input gathered during the 2017 Request for Comments (RFC) period as well as future RFC periods that will be posted on the PCI SSC website.

According to initial industry feedback, the PCI SSC will be reviewing the specific areas of:

1.       Authentication, especially regarding the...

QSA Rotation

In our commitment to providing quality PCI Data Security Standard (PCI DSS) assessments, we support the recently raised best practice of Qualified Security Assessor (QSA) Rotation. Discussions within the assessor community have focused on driving quality in PCI DSS assessments, and the idea of rotating the QSA emerged as a best practice. The PCI Standards Security Council has embraced this best practice and encourages organizations to consider and explore this strategy.

QSA Rotation calls for an organization to change the QSA who has been routinely conducting the...

Dara Security is a PCI Qualified Assessor Company

We are proud to have earned the PCI Qualified PIN Assessor (PCI QPA) certification which allows us to perform assessments using the PCI PIN Security Standard. With our PCI QPA certification, we have demonstrated that we are equipped with the latest knowledge and tools to assist payment stakeholders to comply with Version 3.0 of the PCI PIN Security Standard.

By utilizing a PCI QPA company to conduct the PCI PIN assessment, a merchant or service provider can be confident that:

·         the auditor has the required skills and...

The Status of EMV

Conversion from magnetic-stripe payment cards to EMV (Europay, Mastercard, and Visa) chip cards boomed when EMV conversion first launched, and recent data from Visa Inc shows that conversion efforts continue to grow.

EMV conversion was first introduced in 2015 when the major card networks established a liability shift from issuers to merchants. Beginning in October 2015, merchants assumed the responsibility for financial losses due to counterfeit fraud if their POS terminals could not accept chip cards. As merchants gave chip technology top priority, EMV conversion grew rapidly...

The PCI SSF – Your Questions Answered

In response to questions we’ve received regarding the PCI Software Security Framework (PCI SSF), we’ve compiled the following answers to clarify the PCI Council’s newest standards.

Does the PCI SSF apply to me?

The PCI SSF is currently composed of two standards: 

1.       Secure Software Standard (SSS)

2.       Secure Software Lifecycle Standard (SSLC)

The SSS applies to payment software that is sold, distributed, or licensed to third parties. This...

Best Practices for Maintaining PCI DSS Compliance

Replacing a guidance document published in 2014, the PCI Council recently published Information Supplement: Best Practices for Maintaining PCI DSS Compliance. This new supplemental document outlines guidance and instruction for handling challenges associated with preserving PCI DSS compliance after the PCI DSS assessment has completed.

Challenges in maintaining compliance occur for a variety of reasons. An organization may make changes due to customer requirements, shifting business goals, or a change in technology infrastructure. An organization may assume that continuing to do...

The Essentials to Data Security

A look at recent breaches reveals the continued need for securing information.  The Identity Theft Resource Center continues to collect an increasing amount of breach data (https://idtheftcenter.org/2018-data-breaches/ ), proving that criminals are still working hard at committing cybercrimes.  Business data breaches no longer dominate news headlines, perhaps indicating a sense of complacency or business-as-usual view regarding data security.  But businesses must remain vigilant in protecting the data that has been entrusted to them. 

The PCI Council...

PCI Council Publishes New Software Security Standards

January 2019, the PCI SSC published the PCI Software Security Framework v1.0 (PCI SSF).  Program related materials (Program Guide, Reporting templates, et. al.) and the like are expected to be published mid-2019.  But today, the PCI SSF standards are published and available on the PCI SSC website.  The PCI SSF is composed of two standards:

·        The Secure Software Standard v1.0

·        The Secure Software Lifecycle Standard v1.0

The Secure Software Standard...

Ten Cybersecurity Tips for Businesses

With the start of a new year, it may be a good time for businesses to review their cybersecurity posture and realign their policies with industry best practices.  The following ten cybersecurity tips were recently published during National Cybersecurity Awareness Month as a resource for small businesses.  However, these guidelines could very well apply to a business of any size.

1.      Employee training

Establish basic information security practices with employees, from requiring strong passwords and appropriate internet...