Dara Security

Recent Articles

You’ve Achieved Compliance – Now What?

Achieving compliance with PCI’s standards requires organizations to dedicate significant resources to this effort.  Whether compliance is with PCI DSS, PA-DSS, or the P2PE standard, many entities would probably agree that the ritual of compliance can be a costly one.  Unfortunately, more resources must be spent to confirm compliance if there are any changes to the organization, software, or solution, or if there are modifications within the PCI requirements.

Many organizations achieve compliance and then reach out to their QSA to confirm compliance is maintained...

Read More

The General Data Protection Regulation

Promoted as the most important change in data privacy regulation in decades, the EU General Data Protection Regulation (GDPR) will be enforced on May 25, 2018.  Organizations that are not GDPR compliant after this enforcement date could face significant fines.

Replacing an obsolete data protection directive from 1995, GDPR is designed to allow individuals to better control how their personal information is collected and processed.  Organizations collecting or receiving data on citizens in any of the 28 member states of the European Union (EU) or UK are required to have...

Read More

Migrated from SSL and Early TLS Yet?

In 2015, the PCI Council recognized the need to move away from earlier forms of the Internet security protocol Secure Sockets Layer / Early Transport Layer Security (SSL/TLS).  This cryptographic protocol is used to establish a secure channel between two systems by authenticating one or both systems and protecting the information passing between the systems.

PCI has acknowledged that SSL/TLS is an unsafe method for protecting sensitive data online.  In fact, the widespread use of SSL/TLS has motivated attackers to find flaws, giving rise to serious vulnerabilities such as...

Read More

The PCI 3DS Core Security Standard

EMV® Three-Domain Secure (3-D Secure, or 3DS) is a messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorized CNP transactions and protects the merchant from exposure to CNP fraud. The three domains consist of the merchant/acquirer domain, issuer domain, and the interoperability domain (for example, Payment Systems).

3DS Assessors are able to assess a service provider providing 3DS services against the PCI 3DS Core Security...

Read More