Security is one of the top concerns of enterprise businesses when they are looking to adopt a SaaS solution. A secure SaaS provider requires world-class data centers, stringent identity management and training processes, and rigid security standards.
Comm100 Live Chat provides an enterprise-grade live chat application, with security features that perform at the top of the industry. As a SaaS and customer-driven company, we know the true challenges of providing quality and secure live chat services, inside and out.
We have policies and practices that address a whole range of security concerns, building oﬀ of a solid foundation that helps our clientele exceed their customers’ expectations.
In this security white paper, we present a detailed and comprehensive report on Comm100 Live Chat’s security processes and standards; through this we hope not only to prove our commitment to protecting our customers’ data, but also explain to interested parties how we keep our application safe from cyber threats. Let us show you how Comm100 Live Chat is establishing the benchmark in secure online chat communications.
The PDF version of the white paper is also available. You can download it to your local drive for future reference. Download PDF Version
The Comm100 Live Chat application allows agents to monitor and engage visitors, as well as obtain crucial information regarding their purchasing and website surﬁng habits. The security measures at the application level help keep this sensitive data guarded from online threats.
When a chat connection is built, all data collected from visitors by Comm100 Live Chat via multiple forms (i.e. browsers, pre-chat, post chat survey), as well as chat messages transmitted between live chat operators and visitors, is encrypted through HTTPS protocols utilizing the advanced TLS encryption.
With the Credit Card Masking feature enabled, credit card numbers that are sent by visitors directly through chat window to operators will be automatically masked and kept private. Instead, you can use the PCI DSS compliant Secure Form to collect sensitive information from visitors during chatting.
Our PCI DSS compliant Secure Form allows you to request sensitive data such as credit card number from visitors through the chat window. No such data will be stored in our database and operators can only access the data during the chat session. Once the chat session ends, both operators and visitors cannot get the data. The Secure Form is certiﬁed for PCI DSS compliance. If your business is PCI DSS compliant and you use our Secure Form to collect credit card holder data during the chats, you will stay compliant without additional audits or expenses.
You can authorize speciﬁc IPs or IP ranges for your Comm100 Live Chat account. This limits operators to access their accounts from designated IPs. IP restrictions can also be enabled for mobile access.
Passwords are a crucial and an often-overlooked component of data security—as a result, they can be particularly vulnerable to attacks. Comm100 Live Chat’s password security system revolves around the following features:
All passwords are authenticated by HTTPS.
All passwords stored in company databases are kept private through irreversible encryption.
Passwords are required to meet certain complexity requirements as set by users. Customizable password requirements for operators include:
If the incorrect password is entered for an operator’s account ﬁve consecutive times, CAPTCHA veriﬁcation is enabled to prevent malicious attacks.
Account lock-out can also be enabled after a predeﬁned times of failed login attempts.
While operators are logged into their live chat accounts, Secure and HttpOnly ﬂags are set in the session-only cookies to ensure account security.
In Comm100 Live Chat, operators can be assigned customizable permission settings. This limits the actions operators can take as management ﬁnds appropriate.
Permissions can also be granted at department and group levels.
Permission tasks include, but are not limited to:
All agent activities can be tracked through audit logs, providing management with accountability for all actions performed within the application.
You can track information in the audit logs by time period, keyword, and ﬁlter for time-sensitive resolutions. Through permission settings, access to audit logs can be restricted to administration and trusted agents.
A quality live chat application requires the most secure infrastructure possible.
Comm100 Live Chat is committed to only the best, most advanced procedures and policies to keep the foundation of our operations secure.
Comm100 Live Chat is PCI DSS compliant as a service provider. PCI DSS (The Payment Card Industry Data Security Standard) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
Being PCI DSS compliant, we are enforcing the industry leading security controls over the physical environment and all procedures and processes governing our software development, deployment and operation. Our security management is fully repeatable, deﬁned and consistent.
Beginning with the very ﬁrst point of contact, strong security measures are put in place. All chat requests are validated through a third-party ﬁrewall. This ensures that only legitimate chat requests will be accepted, so that the security of the host website will not be compromised.
All our servers, including chat servers, application servers, and database servers, together with our switches and ﬁrewalls, are hardened complying with relevant standards, including Windows server hardening standards, IIS hardening standards, etc.
An up-to-date, industry accepted anti-virus solution is critical for successful operations. Comm100 Live Chat has an anti-virus solution that is properly implemented and kept up-to-date. Additionally, all staﬀ members who may have access to the production environment have active and enabled anti-virus on their PCs.
Crucial security patches that call for immediate action will be installed within 30 days of patch release. Non-crucial security patches will follow periodic review on a monthly basis, and are applied only after thorough assessment. Additionally, all security patches are immediately installed when setting up a new server.
To ensure top quality, all patching and software updates must pass rigorous testing before a CAB (Change Advisory Board) committee approval.
Comm100 Live Chat is partnered with recognized industry leaders such as Rogers, Peer1 and UK2Group. The data centers were chosen based oﬀ of their commitment to uptime, redundant power sources, and top security features. Comm100 Live Chat’s partner data centers pride themselves in:
Comm100 Live Chat servers are stored separately from others in the data centers to ensure maximum security and privacy. Access to the company’s servers are carefully monitored and recorded for review as necessary.
Comm100 Live Chat’s disaster recovery environment ensures continuity for clients, supporting all applications, services and components as they function in the production environment. Every change which passes through the CAB committee review will be performed in both the production and disaster recovery environments.
In the event of a regional disaster disrupting the normal production environment, data backups will be automatically restored to the disaster recovery environment and the service can be up and running in minutes.
Unplanned downtime can greatly impact businesses, preventing crucial customer service from taking place; this costs companies lots of money.
According to Ponemon Institute, data center downtime costs companies $7,908 per minute. In order to help customers achieve virtually 100% uptime, Comm100 Live Chat provides its very own MaximumOn™ technology.
With the MaximumOn™ technology, your live chat solution is deployed in two separate data centers. When deployment in one data center fails, the redundant deployment in a diﬀerent data center will automatically take over. Web site visitors will not even notice the switch, and on-going chats remain intact.
Comprising industry-leading component and system level redundancies, Comm100 Live Chat’s MaximumOn™ technology can sustain the live chat service during almost all kinds of component, system, and data center level failures, including planned downtime as well as regular system maintenance.
Comm100 Live Chat is PCI DSS compliant as a service provider and we comply with strict standards regarding processes and procedures in our daily operations.
Changes at the foundational level are managed under regulated operations detailed in the company’s Change Management Process.
Examples of the changes covered include (but are not limited to):
In addition, we have employed explicit permission management regarding the login authority to our database. Any operation that may harm our database security is strictly prohibited.
Operation security strategies are only as strong as the team that implements them. The Comm100 Live Chat internal development training covers:
PCI DSS deﬁnes the speciﬁc permissions and duties of diﬀerent roles in a company’s security team. At Comm100 Live Chat, we strictly follow the standards in our daily security operations.
Comm100 Live Chat has a complete incident response plan in place to ensure business continuity. Alarm tools are implemented to identify any potential incident.
Our Information Security Team will be notiﬁed immediately of any suspected or real security incidents involving Comm100 Live Chat computing assets, particularly any critical system or system that handles or processes cardholder or other Personally Identiﬁable Information. Incidents will then be classiﬁed into diﬀerent levels and be taken care of according to speciﬁc procedures.
Access to Comm100 Live Chat servers and databases is strictly controlled by:
Comm100 Live Chat’s Service Maintenance team monitors the application round the clock, ensuring that potential risks are noticed and acted upon immediately.
As a live chat provider for companies and organizations around the globe, Comm100 Live Chat sets the highest possible standards for how sensitive data is handled. We hope this document serves to inform you about our processes and protocols, as well as about our unwavering commitment to security.