When Beverly Magda became CIO of the Humane Society of the United States in July 2005, her first goal was clear: Comply with the Payment Card Industry data security standard that had just been implemented.

“Before I came on board, that was the first thing given to me,” she says. “Because we’re a nonprofit … we want [donors] to be able to trust us and know their information is secure with us.”

The Humane Society’s process of encrypting credit card data and securing its network was already sophisticated enough to comply with PCI and protect sensitive personal information, Magda says. In other words, she was confident the infrastructure she inherited would avoid the kinds of data breaches that have recently plagued TJX.

But the Humane Society did have to update its internal policies and procedures as well as submit to quarterly scans by a third-party security auditor and make sure the results of those scans would be made available to the banks of which it is a customer.

The new standards that took effect in 2005 are overseen by the PCI Security Standards Council, which was founded by credit card companies. Under the rules, credit card companies can fine banks that fail to get their merchant customers to comply, and those banks can pass the fines on to merchants.

The Humane Society, which has worked to protect animals for more than half a century, was able to comply with PCI within a year of Magda’s arrival despite becoming extraordinarily busy in late 2005 after Hurricane Katrina.

But it thought complying should be easier. So early this year, it started using QualysGuard PCI, a software-as-a-service application from security vendor Qualys that provides PCI compliance testing, reporting and submission.

Qualys acts as the third-party auditor and makes it easy to submit results to banks, Magda says. “Last year, we had a different third-party vendor, but they were using the Qualys product anyway. We thought we’d just go directly to Qualys,” she says.

Under the old system, the Humane Society had to schedule a time for a quarterly scan, and then FedEx the audit report to banks or encrypt it and send via e-mail. Now the audits are scheduled automatically, and banks are notified afterward so they can log on to the Internet and download the reports. “It takes a lot less time now,” Magda says.