Body Shop logs onto PCI:DSS with LogLogic

The UK's original eco-conscious retailer, Anita Roddick's The Body Shop, has turned to LogLogic to help its 2,500 stores

The UK's original eco-conscious retailer, Anita Roddick's The Body Shop, has turned to LogLogic to help its 2,500 stores in more than 60 countries comply with the Payment Card Industry's Data Security Standard (PCI:DSS).

PCI:DSS requires organisations that accept card-based sales to protect the information on the cards against theft and fraud. Part of the 12-step standard is to track all security events on systems that handle, process and store credit card information.

"PCI sets standards which, from a security perspective, make common sense," said Jon Granville, director of global e-commerce & IT for The Body Shop. "We should be able to demonstrate that we are secure - compliance mandates or not."

The initial implementation was planned for the company's North American datacentre, but The Body Shop also wanted it to roll out to the UK, EMEA and Asian Pacific regions in 2008.

A desk research project narrowed the supplier shortlist to three. "Right from outset, LogLogic bought into our requirements and understood the key business drivers," said Granville. "They were in fact the only supplier that would guarantee that they would deploy the system into our environment by the March deadline. That was very important to us."

Not only did the system go in quickly, but users were up to speed quickly too, he said. "We have not lost valuable time with staff going off for training courses," said Granville. "There has simply been no need. This has been a key differentiator."

LogLogic has helped The Body Shop to discover and troubleshoot other system issues. A secure network zone for a system that handled credit cards also needed to pass some non-credit card information through the highly secured zone. The log data helped The Body Shop identify how to do this.

LogLogic software also helped The Body Shop to identify point-of-sale (POS) software that was hogging network bandwidth. It found the application was part of a testing process that did not need to be on the live production system. A reconfiguration soon freed more bandwidth.

Now that its American shops comply with PCI, The Body Shop's UK operation and EMEA and Asia-Pacific are following suit. It is now identifying which parts of its IT infrastructure need logging, and it will then plan how to do it.

"It is partly technical assessment," said Granville. "But it is also a business process assessment - how do we process credit cards as a business? We need to map everything and see what is in scope. Once that has been established, we will begin implementation."

Read more on IT risk management