Founded in 1875 by James David Williams, JD Williams & Company Ltd, part of N Brown Group plc, is one of the UK’s leading direct home shopping companies. Retailing through 20 catalogue brands, the company offers a large selection of clothing and other products for all ages and sizes.
One of the pioneering UK companies to post products to customers, JD Williams now has over 6 million customers and approx. 3500 employees based in the UK and Ireland.
JD Williams were faced with an imminent deadline for PCI compliance. As PCI compliance is mandatory for every eCommerce merchant that accepts credit or debit card payments on their website, it is integral that customer’s sensitive data be well protected. The company needed a solution that could help them achieve their goal of PCI compliance and help them protect their customer’s sensitive data.
Previously JD Williams had distributed hard copies of information security policies and required staff to sign an acknowledgement form. Lloyd explains: “Obviously, that was a very labour intensive process and we hadn’t carried out that exercise for some years. Other policies were published on the company intranet but that’s a very passive method and there’s no way we could track users accessing those policies.”
Lloyd adds: “An annual project of this scope, performed manually, would require assistance from 10 site managers, located at various operational centres, 3 full time employees and an estimated 1-2 months to complete. This realisation, coupled with regulatory mandates, became the main catalyst for selection of a GRC solution.”
JD Williams looked at a number of available solutions on the marketplace when tasked with finding a policy management system. After careful consideration, MetaCompliance was chosen due to:
- Ease of integration and deployment in getting the compliance agents to numerous end-points due to alignment with Citrix clients;
- Purpose built solution;
- Impressive customer base
- Best value solution.
Ease of integration and deployment was a key benefit of the MetaCompliance solution to JD Williams. The company opted for a staggered roll-out of the MetaCompliance Advantage product by Department and/or physical site. According to Geoffrey Lloyd:
“As well as several on-site visits, the MetaCompliance team offered numerous instances of support as required during roll out, sometimes via telephone and when required through remote log-in.”
This offered seamless integration with current systems which was instrumental to the successful roll out.
JD Williams has used Advantage in order to distribute security policies and to gain evidence that staff have read and accepted those policies in an efficient and cost effective manner. As a result of that exercise, JD Williams has improved it’s security posture and played a pivotal part in becoming PCI compliant.
JD Williams recognises several different benefits from deploying Advantage, including:
• An increase in user understanding and awareness which will bring an improved culture of IT security to the organisation
• The ability to cost effectively obtain employee agreement to IT security and compliance policies across the global organisation
• The protection of corporate infrastructure from malware and viruses
• Minimising the risk of data leakage
• The ability to demonstrate to regulators and customers that JD Williams takes its commitments seriously
• The improvement of IT security will raise the corporate profile and attract new business
• Return on investment will be realised from the product being used across the organisation.
Policy Dissemination and Acceptance
JD Williams communicated a Corporate Information Security Policy aswell as an e-mail and Internet Acceptable Usage Policy through MetaCompliance.
MetaCompliance allows users to “snooze” policies at busy times but administrators can add an enforcement date by which time a policy must be responded to. This aspect of the software enforces a response from users and guarantees a 100% sign up rate.
According to Geoffrey Lloyd: “We gave users the ability to “snooze” acceptance of the policies for three weeks but after that time they had to accept the policy before being allowed to work normally. We were able to achieve 100% acceptance for all those with the MetaCompliance agent installed on their PC and who were targeted with a policy.”
JD Williams have used MetaCompliance to deliver risk assessments, surveys and eLearning to users, guaranteeing a 100% response rate.
Looking to the future JD Williams plan to continue taking advantage of the MetaCompliance Policy delivery mechanism in order to comply with PCI DSS requirements. The audit trail will enable them to prove compliance to their external auditors, as explained by Geoffrey Lloyd:
“We believe that MetaCompliance will continue to provide us with an easy to manage delivery mechanism for our Information Security policies and other related policies as required by the PCI DSS. As the main aim is to meet the requirements of the PCI standard, we will also be using the audit trail and the reporting capabilities of MetaCompliance to prove compliance to our external auditors.”