Body Shop rolls out PCI system

PCI deadlines have prompted the roll out of log management tools at The Body Shop

Cosmetics retailer The Body Shop is about to roll out a logging system to manage credit card information in line with Payment Card Industry Data Security Standard (PCI DSS) requirements, following a successful initial implementation in the Americas.

The company had to install a log management system to serve its operations in the Americas in time for a 31 March PCI compliance deadline, and is now set to implement the technology in the UK before rolling it out to businesses in the Europe, Middle East, Africa and Asia-Pacific regions.

Following an auditing process, the company selected the new system based on criteria such as compatibility with its existing IT set-up, scalability, ease of use and cost.

"We configured each test solution to talk to our systems and analysed how easy the system was to set up, how the vendor worked with us, and how well the product performed," said Body Shop director of global e-commerce and IT Jon Granville. "We wanted to be comfortable with both the tool and the vendor."

The US platform went live in March. Benefits gained from its use so far include improved reporting capabilities and secure long-term storage capacity for encrypted data to support forensic analysis.

"PCI sets standards which, from a security perspective, make common sense," said Granville. "We should be able to demonstrate that we are secure, compliance mandates or not."

Training was provided to users and IT support staff at The Body Shop during the testing and installation phase.

"We have not lost valuable time with staff going off for training courses. There's simply been no need," said Granville.

A secure network area for a system that handled credit cards at The Body Shop was also used to transmit some non-credit card data. With the log data provided by the new system, the retailer could identify how to establish links between systems outside of the secure zone.

The retailer also said the new log management system helped it to solve bandwidth-related issues with its point-of-sale software.

With compliance achieved in the Americas, the retailer now intends to roll out the LogLogic-supplied system in the UK and is currently assessing its infrastructure as well as the design for the logging tool.

"It's partly technical assessment but it's also a business process assessment: how do we process credit cards as a business? We need to map everything and see what is in scope," said Granville. "Once that has been established, we'll begin implementation."