Non-Profit Organization Achieves PCI Compliance with WatchGuard
Challenge
The Fred Hollows Foundation NZ is a non-profit organization that carries on the work of a legendary New Zealander, the late Professor Fred Hollows. Fred was an internationally acclaimed eye surgeon and social justice activist who championed the right of all people to high-quality and affordable eye care.
The Foundation works in the Pacific region where four out of five people who are blind don’t need to be; their condition is preventable or treatable. They restore sight to the needlessly blind and vision impaired, train local eye health specialists to provide eye care services in their own communities, and work to strengthen local health systems to achieve access to quality eye care. To support its training and outreach activities, the Foundation relies heavily on charitable donations from supporters. In 2018, this amounted to more than $8 million. Many of these donations have been made using credit cards and while this is convenient for donors, it caused a significant challenge for the Foundation.
Payment Card Industry (PCI) data security standards apply to all organizations that store, process or transmit cardholder data. The Foundation’s finance and operations director, Sharon Orr, says, “We needed to engage a qualified security assessor company to help navigate and become compliant with the PCI data security standards to give the Foundation’s bank and donors the assurance that all cardholder data is protected.”
PCI standards were designed to increase the security of systems to reduce incidents of credit card fraud. “Becoming PCI compliant is a rather complex process,” explains Sharon. “We had to ensure that all the systems and procedures we were using to process credit card transactions met the requirements. We also had to be sure that all our service providers – such as our web hosting company and IT service provider – together with our entire technology infrastructure, also achieved compliance.”
During this process, it became apparent that improvements were required to the IT security measures in place within the organization. Access controls had to be strengthened and threat detection and prevention mechanisms extended to deliver more thorough coverage.
Solution
Working with technology partner Tier4, the Foundation evaluated a range of security options before a decision was made to implement a WatchGuard Unified Threat Management (UTM) T70 appliance with WatchGuard Total Security Suite.
WatchGuard’s AuthPoint multi-factor authentication was also deployed to ensure secure remote access to centralised networks for mobile staff members.
Sharon notes, “Deployment of the WatchGuard solution began in April 2018 and was completed within two weeks. Tier4 and the Foundation’s qualified security assessor company, Confide, assisted with comprehensive user training to ensure all staff were aware of IT security and the steps they needed to take to keep credit card transactional data safe at all times.”
Results
With the T70 and Total Security Suite in place, the Foundation achieved full PCI compliance ahead of the September 2018 deadline. This allowed the ongoing processing of credit card transactions and ensured uninterrupted funding for its range of charitable activities.
As well as helping to achieve PCI compliance, Sharon comments, “The WatchGuard infrastructure has significantly strengthened the Foundation’s overall cyber security. We are now in a much better position to respond to incidents and are highly confident we would meet our regulatory requirements should we suffer a cyber attack or data breach,” she says.
“Staff attitudes to IT security have also improved. While there was some initial resistance to the two-factor authentication system, people are now comfortable with it and it has become part of daily activity.” Sharon explains, “Tier4 has been a valuable technology partner and continues to assist with any mitigations required identified through the regular penetration and vulnerability testing. Robust monitoring systems are in place to ensure the Foundation remains PCI compliant at all times.”
“As a charity, we are heavily reliant on our good reputation to remain in business,” says Orr. “With our WatchGuard infrastructure in place, and with the support of Tier4, we are very confident that we have a secure, reliable IT environment that can support our activities both now and in the future.”