When Beverly Magda became CIO of the Humane Society of the United States in July 2005, her first goal was clear: Comply with the Payment Card Industry data security standard that had just been implemented. “Because we’re a nonprofit…we want [donors] to be able to trust us and know their information is secure with us,” she said.
The Humane Society’s process of encrypting credit card data and securing its network was already sophisticated enough to comply with PCI and protect sensitive personal data, Magda said.
The Humane Society did have to update its internal policies and procedures as well as submit to quarterly scans by a third-party security auditor, and ensure the results of those scans are made available to the banks of which it is a customer.
The Humane Society, which has worked to protect animals for more than half a century, was able to comply with PCI within a year of Magda’s arrival despite becoming extraordinarily busy in late 2005 after Hurricane Katrina.
The company thought complying should be easier. So early this year, it started using QualysGuard PCI, a software-as-a-service application from security vendor Qualys, which provides PCI compliance testing, reporting and submission.
Qualys acts as third-party auditor, making it easier to submit results to banks, Magda said.
With the old system, the Humane Society had to schedule a quarterly scan, then courier the audit report to banks or encrypt it and send via e-mail. Now the audits are scheduled automatically, and banks are notified afterward so they can log on to the Internet and download the reports, Magda said.
The QualysGuard PCI service includes quarterly network security scans to identify critical vulnerabilities and help customers fix the problems with instructions and links to verified patches.
Magda’s job, meanwhile, goes beyond PCI compliance. For example, the firm supports 120 Treo mobile devices to coordinate communication and animal rescues. “Advocacy isn’t a 9-to-5 job, and animal welfare isn’t a 9-to-5 job,” she said. 078451