Security Best Practices Guide

Comm100 Support > Account & Security & Others > Best Practices

Information security is of utmost importance to Comm100 customers. Security is a core functional requirement that protects critical information from accidental or deliberate theft, leakage, integrity compromise, and deletion.

Comm100 provides a series of security options that you can use to ensure that your confidential information is protected and secure. Comm100 strongly suggests that agents and administrators follow the best practices and ensure a safe environment.

If you are uncertain about the security of your Comm100 system, you can contact us by sending an email to support@comm100.com.

In case you want to download this article, click Security Best Practices Guide.

This article provides the following best practices, which can increase the security of your Comm100 account and reduce the risk of a hole in your security:

Do not share your email addresses or passwords
Restrict the number of agents with administrator privilege
Audit your Comm100 account regularly
Monitor audit logs
Authenticate visitors and agents with single sign-on
Ban visitors from initiating chat request
Request sensitive data from visitors using Secure Forms
Block sender for unsolicited messages
Manage restricted words to send sensitive data
Mask credit card numbers
Set password policy
IP allowlist for agents
Use OAuth client authentication
Use two-factor authentication

Do Not Share Your Email Addresses or Passwords

Your agents and administrators should never share email addresses or passwords with another person to maintain security. If you are using standard Comm100 login authentication, the only secure way to reset a password is to click the Forgot your password link on the login screen of your Comm100. The screen prompts the user to enter a valid email address to send an email containing a link to reset their password.

To learn about resetting your password, see this article.

Using a third-party single sign-on authentication system such as JWT or SAML, you can similarly reset passwords through those services.

Restrict the Number of Agents with Administrator Privilege

Agents with administrator privileges have full access to your Comm100 that regular agents do not. By limiting the number of agents with administrator privilege, you can lower your security risk. If you are concerned about your agent's accessing information about your customers, you can create a role that prevents them to edit or view customer profiles.

You can create your custom agent roles and decide what parts of Comm100 that the agent role can access.

Audit Your Comm100 Account Regularly

It is considered best practice to check for suspicious activity routinely so that your Comm100 account should always be private and secure. Comm100 suggests that you use the following checklist frequently to ensure that no mistakes have been made that may leave your system vulnerable.

Review agent permission settings from the Global Settings > People > Agents page to look for anonymous agents, administrators, or strange email addresses not in your company domain.
Review agent's role permission settings from the Global Settings > People > Role page to look for unknown agents and administrators, not in your company domain.
Review the members in each Department.
Check the email address(es) that is set up to receive chat transcripts and offline messages, to ensure they are all correct and up to date.

To learn more on managing agent permissions, see this article.

Monitor Audit Logs

Using the audit log, you can monitor various security events such as security management, block sender management, agent role management, and many more. This enables you with a way to track many of the critical changes to your account.

To learn about checking the audit log of your site, see this article.

Authenticate Visitors and Agents with Single Sign-On

Visitor Single Sign-On: You can authenticate your visitor’s account information before initiating the chat using the Visitor Single Sign-On (SSO) feature. Once visitors log in, your agents can view their account information in Comm100 Live Chat. This helps them know who they are chatting with and avoid asking the same standard questions.

Comm100 supports Visitor single sign-on using Secure Assertion Markup Language (SAML).

To learn more about the Visitor Single Sign-On, see this article.

Agent Single Sign-On: You can use a single login across Comm100 and other applications via Agent SSO (Single Sign-On) for Agents. You only need to log in once to move securely between Comm100 and other applications without the need to log into separate accounts or remember multiple usernames and passwords. Comm100 supports Agent SSO via SAML (Security Assertion Markup Language) or JWT (JSON Web Token) standard.

To learn more about the Agent Single Sign-On, see this article.

Note: The Visitor SSO and Agent SSO features are only available in our Live Chat Ultra and Omnichannel Ultra plans. To learn more about Comm100 product packages, visit here.

Ban Visitors from Initiating Chat Requests

You can ban visitors from initiating chat requests. If a visitor gets banned from their visitor ID or IP address, they will not see the chat button on their web browser. In Comm100, you can ban visitors using the following three scenarios:

When you are in the Control Panel.
When you are monitoring visitors in the Agent Console
When you are in chat sessions in the Agent Console.

To learn more about banning visitors, see this article.

Request Sensitive Data from Visitors Using Secure Forms

Secure Forms, designed as per PCI DSS compliance rules, allow you to request sensitive data such as credit card information from visitors during chat sessions and ticket engagements. Information requested through Secure Forms is not saved in chat transcripts and ticket history.

You can design your secure form from your Control Panel > Global Settings > Security > Secure Form page.

Block Sender for Unsolicited Messages

The Comm100 Ticketing system allows you to add an email account and create support tickets out of any emails received by those accounts. However, your email account might also receive some unsolicited emails, which can create tickets as well.

The Block Sender feature helps you block unsolicited messages from specific email addresses or domains and move them to the Ticket Junk folder or reject them.

To learn more about blocking senders, see this article.

Manage Restricted Words to Send Sensitive Data

Create and manage restricted words that you don't to be sent in chats or ticket conversations between agents and customers. You can define restricted phrases for agents and customers respectively. Once this feature is enabled, restricted words in agents' or customers' messages will be highlighted, and the messages cannot be sent out until the restricted words are removed.

You can manage restricted words from your Control Panel > Global Settings > Security > Restricted Words page.

Mask Credit Card Numbers

Credit Card Masking allows you to mask credit card numbers sent directly through the chat window or within any messages sent from integrated channels (Facebook/Twitter/Email/SMS/WhatsApp for Business/WeChat) to protect their data privacy. The credit card numbers are collected, processed, and transmitted in accordance with the PCI DSS rules.

You can enable credit card masking from your Control Panel > Global Settings > Security > Credit Card Masking page.

Set Password Policy

As an administrator, you can set an account-level password using any or in combination with the following password policy from the Control Panel:

Password must have at least 8 characters
Require three of the four types of characters: uppercase, lowercase, numeric, and special (for example., $, &, #, @, and so on.)
Prevent use of agent names as passwords
Prevent commonly used password phrases, such as 123456, password, and qwerty
Password cannot be the same as one of the last 5 passwords
Password expires 40 days after creation and must be changed before the next login
Note: If the password is not changed within 3 days before expiration, your agents will be prompted to change the password on the login page.
Password can be changed at most 3 times within 24 hours
Account will be locked after 5 failed login attempts

You can set password policy from your Control Panel > Global Settings > Security > Password Policy page.

IP Allowlist for Agents

Once this feature is enabled, your administrator can control the Comm100 Control Panel and Agent Console by restricting logins to specific IPs or IP ranges. You can also control mobile access to your Comm100 account from authorized IPs.

You can manage the IP allowlist form from your Control Panel > Global Settings > Security > IP Allowlist page.

Use OAuth Client Authentication

An OAuth Client is a token-based method of authentication which allows a third-party application to access your Comm100 account data using OAuth protocol. You can create a new OAuth Client by providing the following details: client name, company, client ID, redirect URLs.

To learn more about OAuth Client authentication, see this guide.

Use Two-Factor Authentication (2FA)

A two-factor authentication helps protect your Comm100 account from unauthorized access by adding a second-level security layer to your primary-level authentication. Comm100 suggests that it should be set up to enhance your account security further. With more robust security like 2FA, you can secure your customer's valuable data from unauthorized access and other cybercrimes. You need to install the 2FA authenticator app on a mobile device and use it to scan the QR code while setting up 2FA.

To learn more about two-factor authentication, see this article.

Helpful?

0% of people found this helpful