Achieving payment card data security standards is complex, affecting not just the party receiving the payments but their service providers as well, charity Fred Hollows NZ has discovered.
Payment Card Industry (PCI) data security standards apply to all organisations that store, process or transmit cardholder data.
"Our merchant bank, BNZ, advised us in 2017 that our volume of credit and debit card transactions had exceeded a threshold which resulted in us being considered as a level three merchant and brought us under a greater level of scrutiny," the foundation’s finance and operations director, Sharon Orr, said.
"We were given until September 2018 to demonstrate compliance with the standard."
The charity, which works in the Pacific to restore sight to the needlessly blind and vision impaired, needed to engage a qualified security assessor to help navigate and become compliant to give the foundation’s bank and donors the assurance that all cardholder data was protected.
“Becoming PCI compliant is a rather complex process,” said Orr.
“We had to ensure that all the systems and procedures we were using to process credit card transactions met the requirements.
"We also had to be sure that all our service providers - such as our web hosting company and IT service provider - together with our entire technology infrastructure also achieved compliance.”
PCI is also an evolving standard with changing focuses over recent years.
To ensure it was meeting compliance requirements and to address the complexity of its payment channels, the charity engaged a qualified security assessor, Confide, to assist.
During the process, it became apparent that improvements were required to the IT security measures in place within the organisation. Access controls had to be strengthened and threat detection and prevention mechanisms extended to deliver more thorough coverage.
Fred Hollows NZ worked with technology partner Tier4 to evaluate a range of security options before a decision was taken to implement a WatchGuard Unified Threat Management (UTM) appliance with WatchGuard Total Security Suite.
WatchGuard’s AuthPoint multi-factor authentication was also deployed to ensure secure remote access to centralised networks for mobile staff members.
Deployment began in April 2018 and was completed within two weeks.
Tier4 and Confide assisted with user training to ensure all staff were aware of IT security and the steps they needed to take to keep credit card transactional data safe.
As well as achieving compliance, the infrastructure has significantly strengthened the foundation’s overall cyber security.
“Staff attitudes to IT security have also improved," Orr said.
While there was some initial resistance to the two-factor authentication system, people were now comfortable with it and it has become part of daily activity.