Security Best Practices Guide

Information security is of utmost importance to Comm100 customers. Security is a core functional requirement that protects critical information from accidental or deliberate theft, leakage, integrity compromise, and deletion.

Comm100 provides a series of security options that you can use to ensure that your confidential information is protected and secure. Comm100 strongly suggests that agents and administrators follow the best practices and ensure a safe environment.

If you are uncertain about the security of your Comm100 system, you can contact us by sending an email to support@comm100.com

In case you want to download this article, click Security Best Practices Guide.


This article provides the following best practices, which can increase the security of your Comm100 account and reduce the risk of a hole in your security:


Do Not Share Your Email Addresses or Passwords 

Your agents and administrators should never share email addresses or passwords with another person to maintain security. If you are using standard Comm100 login authentication, the only secure way to reset a password is to click the Forgot your password link on the login screen of your Comm100. The screen prompts the user to enter a valid email address to send an email containing a link to reset their password. 

To learn about resetting your password, see this article.

Using a third-party single sign-on authentication system such as JWT or SAML, you can similarly reset passwords through those services. 


Restrict the Number of Agents with Administrator Privilege

Agents with administrator privileges have full access to your Comm100 that regular agents do not. By limiting the number of agents with administrator privilege, you can lower your security risk. If you are concerned about your agent's accessing information about your customers, you can create a role that prevents them to edit or view customer profiles.

You can create your custom agent roles and decide what parts of Comm100 that the agent role can access.


Audit Your Comm100 Account Regularly

It is considered best practice to check for suspicious activity routinely so that your Comm100 account should always be private and secure. Comm100 suggests that you use the following checklist frequently to ensure that no mistakes have been made that may leave your system vulnerable.

  • Review agent permission settings from the Global Settings > People > Agents page to look for anonymous agents, administrators, or strange email addresses not in your company domain.
  • Review agent's role permission settings from the Global Settings > People > Role page to look for unknown agents and administrators, not in your company domain.
  • Review the members in each Department.
  • Check the email address(es) that is set up to receive chat transcripts and offline messages, to ensure they are all correct and up to date.

To learn more on managing agent permissions, see this article.


Monitor Audit Logs

Using the audit log, you can monitor various security events such as security management, block sender management, agent role management, and many more. This enables you with a way to track many of the critical changes to your account. 

To learn about checking the audit log of your site, see this article.  


Authenticate Visitors and Agents with Single Sign-On

You can authenticate your visitor’s account information before initiating the chat using the Visitor Single Sign-On (SSO) feature. Once visitors log in, your agents can view their account information in Comm100 Live Chat. This helps them know who they are chatting with and avoid asking the same standard questions.

Comm100 supports Visitor single sign-on using Secure Assertion Markup Language (SAML).

To learn more about the Visitor Single Sign-On, see this article.  

You can use a single login across Comm100 and other applications via Agent SSO (Single Sign-On) for Agents. You only need to log in once to move securely between Comm100 and other applications without the need to log into separate accounts or remember multiple usernames and passwords. Comm100 supports Agent SSO via SAML (Security Assertion Markup Language) or JWT (JSON Web Token) standard.

To learn more about the Agent Single Sign-On, see this article.

Note: The Visitor SSO and Agent SSO features are only available with our Live Chat Enterprise plan.


Ban Visitors from Initiating Chat Request

You can ban visitors from initiating chat requests. If a visitor gets banned from their visitor ID or IP address, they will not see the chat button on their web browser. In Comm100, you can ban visitors using the following three scenarios:

  • When you are in the Control Panel.
  • When you are monitoring visitors in the Agent Console
  • When you are in chat sessions in the Agent Console.

To learn more about banning visitors, see this article.


Request Sensitive Data from Visitors Using Secure Forms

Secure Forms, designed as per PCI DSS compliance rules, allow you to request sensitive data such as credit card information from visitors during chat sessions. Information requested through Secure Forms is not saved in chat transcripts. You can design your secure form from the Control Panel's Live Chat > Settings > Secure Form page.


Block Sender for Unsolicited Messages

The Comm100 Ticketing system allows you to add an email account and create support tickets out of any emails received by those accounts. However, your email account might also receive some unsolicited emails, which can create tickets as well.

The Block Sender feature helps you block unsolicited messages from specific email addresses or domains and move them to the Ticket Junk folder or reject them.

To learn more about block sender, see this article


Manage Restricted Words to Send Sensitive Data

Create and manage restricted words that you don't want your agents to send to customers. Once this feature is enabled, restricted words in agents' messages will be highlighted, and the messages cannot be sent out until the restricted words have been removed.


Mask Credit Card Numbers

Once this feature is enabled, Credit Card Masking allows you to mask credit card numbers sent directly through the chat window or within any messages sent from integrated channels (Facebook/Twitter/Email/SMS/WhatsApp for Business/WeChat) to protect their data privacy. The credit card numbers are collected, processed, and transmitted in accordance with the PCI DSS rules.


Set Password Policy 

As an administrator privilege, you can set an account-level password using any or in combination with the following password policy from the Control Panel:

  • Password must have at least 8 characters
  • Require three of the four types of characters: uppercase, lowercase, numeric, and special (for example., $, &, #, @, and so on.)
  • Prevent use of agent names as passwords  
  • Prevent commonly used password phrases, such as 123456, password, and qwerty
  • Password cannot be the same as one of the last 5 passwords
  • Password expires 40 days after creation and must be changed before the next login
  • Password can be changed at most 3 times within 24 hours  
  • Account will be locked after 8 failed login attempts  


IP Allowlist for Agents

Once this feature is enabled, your administrator can control the Comm100 Control Panel and Agent Console by restricting logins to specific IPs or IP ranges. You can also control mobile access to your Comm100 account for authorized IPs.


Using OAuth Client Authentication

An OAuth Client is a token-based method of authentication which allows a third-party application to access your Comm100 account data using OAuth protocol. You can create a new OAuth Client by providing the following details: client name, company, client ID, redirect URLs.

To learn more about OAuth Client authentication, see this guide.