Comm100 Live Chat Achieves Security Milestone with PCI Compliance

Security is one of the top concerns of enterprise businesses when they are looking to implement live chat onto their websites. At Comm100, we fully understand the importance of security to our users and we are striving to provide the most secure solution in the live chat industry. Being PCI DSS compliant adds an extra level of control and manageability for our already highly secure live chat solution.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card companies including Visa, MasterCard, American Express, Discover, and JCB. Comm100 Live Chat is now eligible for PCI DSS compliance as a service provider.

The Secure Form offered in Comm100 Live Chat enables you to collect sensitive data such as credit card holder data (CHD), social security numbers and other personal identifiable information (PII) securely from your website visitors during a live chat. The sensitive data transmitted is only temporarily accessible to the authorized operator during the chat session. Once the chat session ends, the data will be removed from the chat transcript and is not accessible to anyone at any place.

This empowers you to be PCI DSS compliant while having the convenience to request sensitive data right in the live chat channel. This also makes things much easier for the visitors and customers as they can get immediate help while resting assured that their data is highly secure.

In addition to the Secure Form feature, we have also greatly enhanced the physical environment and all procedures and processes governing our software development, deployment and operation. All of these have passed the audit of a qualified security assessor (QSA). This means we are enforcing the industry leading security controls and our security management is fully repeatable, defined and consistent.

The PCI compliance further establishes Comm100 as the industry leader of enterprise live chat solution.

Benefits of PCI Compliance

1. A Must for PCI DSS Complaint Businesses to Stay in Good Standing

   PCI DSS compliant businesses are required to make sure all their points of processing, storing or transmitting credit card information meet the security requirements of PCI DSS. If you want to receive credit card information over live chat while staying PCI compliant, you have to make sure the live chat service or software you are using also complies with PCI DSS. Otherwise, you need to include live chat in your own annual compliance audit, which greatly increases the scope and cost of your PCI compliance program.

2. An Additional Level of Data Security for Everyone

   The Secure Form feature creates an independent “secure channel” for you to request CHD, PII and other sensitive information (e.g., secret answers, PIN codes, etc.) during a live chat, right within the standard chat window. Together with the strengthened environment and procedures, this prevents breach of consumer data and privacy for every business, and boosts customer confidence and convenience.

3. Reducing Security Review Cost for Enterprise Businesses

   If you are an enterprise business, you may need to go through a comprehensive security review process before you can decide to go with a live chat service provider. The PCI compliance will simplify your security review process thus reducing the cost involved and helping you get live chat up and running more quickly.

4. Managed and Consistent Security

   Standardized procedures and processes are in place to make sure the security of our live chat solution is fully repeatable and under control. You can have a peace of mind when using our service.

Security Measures for PCI Compliance

The PCI compliance audit covers hundreds of security requirements from physical security to policies and procedures. Below is an overview of what’s included:

1. Secure Form

   • Transfer of the sensitive information goes through an encryption process.
   • Access to the encrypted data requires operator authentication and session validation.
   • A dedicated PCI DSS compliant server is used to handle the entire secure data transfer process.
   • The sensitive data submitted through the secure form will only be available to the authorized operator during the chat session and will not be stored in the chat transcript nor on any server.

2. Credit Card Number Masking

   When this option is enabled, Comm100 Live Chat will automatically detect and mask credit card numbers directly submitted through the chat window, showing only the last four digits.

   

3. Operator Account Password Policy and Access Control

   Comm100 Live Chat offers a comprehensive list of security controls for you to protect your account from unauthorized access, including IP restriction, password policy, CAPTCHA Verification, etc.

   The following highlights the fundamentals for your live chat to be PCI compliant.

   • Password policy
     • Minimum length: 7 characters
     • Complexity: Both numeric and alphabetic characters are required
     • Expires after number of days: 90 days or less
     • Prevent using a determined number of previously used passwords: 4 last passwords
     • Restrict the use of usernames in passwords: enabled
     • Maximum password changes per day: 2
     • Restrict commonly used password phrases: enabled
   • Account lockout
     • Lockout threshold: 6 failed login attempts or less
     • Lockout period: 30 minutes
   • Session timeout
     • Logout the operator or lock the operator console and then logout: After 15 minutes of inactivity
   • Auto-login
     • Disable the auto-login feature

4. Secure System and Network

   • PCI compliant data center and network architecture
   • Operating System (OS) hardening
   • Separate network
   • Anti-virus software
   • Two-factor authentication for remote access
   • Firewall and IPS

5. System Operation Procedures

   • Change management
   • Incident response plan
   • Internal security training
   • Network and systems monitoring
   • User access management
   • Vulnerability management

6. Software Development Procedures

   • Coding security
   • Coding guidelines
   • Code review guidelines
   • Penetration test

For more details about the PCI DSS requirements, please refer to the PCI DSS v3.2 SAQ D Service Provider by which Comm100 Live Chat is attested for compliance.

Additional Security Measures We Are Enforcing

1. Rigorous Backup Strategy

   Comm100 executes rigorous backup and disaster recovery plans. Your data is backed up to different servers to keep your data safe from natural disasters or any possible data loss events. We also encrypt and back up your data to another data center which is 1000+ miles away to further ensure your business continuity.

2. TLS Encryption

   All network communications in Comm100 Live Chat are TLS encrypted.

3. Transparent Privacy Policy

   Comm100 does not share, sell, rent, or trade our customer information with third parties. Our Privacy Policy is certified by TRUSTe, a leading global Data Privacy Management (DPM) company.

4. IP Restriction

   Add authorized IPs/IP ranges to your Comm100 Live Chat account to grant login access to specific IPs/IP ranges only.

5. Audit Logs

   The audit logs feature in Comm100 Live Chat allows you to track all your operators’ activities as well as all changes to your live chat system. This provides accountability to each operation within the system and protects your account from mistaken changes.

6. LDAP Authentication

   With the Lightweight Directory Access Protocol (LDAP) authentication, operators can log in with a single user ID to gain access to Comm100 Live Chat and all working platforms, eliminating the need for various usernames and passwords.

How the Secure Form Works

• Users with admin access can set up multiple custom secure forms and define the fields used in the forms directly in their Comm100 Live Chat control panel. The cardholder data form is provided out-of-box.
• When an operator requires sensitive information from a visitor, he/she clicks on the Secure Form button in the chat console, selects the secure form he needs and sends it to the visitor.
• The visitor receives the secure form in his/her chat window, fills it out and submits it.
• The information is securely delivered to the operator. The operator can see the information in his/her chat console. But after the chat session ends, the information will be removed from the chat transcript and will not be stored thus no one will be able to see or access it anywhere.

We Will Continue to Promote Live Chat Security

At Comm100, security is a top priority and we will continue further implementation of PCI Compliance across the entire Comm100 Live Chat for Enterprise product. This means the development, deployment and operation of the entire product will be PCI compliant. In the future our users will no longer need to use the Secure Form to receive sensitive data. Instead, the sensitive data can be sent right in the standard chat window and will be stored in chat transcripts, all while staying PCI compliant.

Do you have questions about PCI compliance or live chat security? Request a demo from our security experts now!

Book demo