Is there a way to change the timeout value for re-login when ek_ecom_ComplianceMode is enabled?

  • Updated

Is there a way to change the timeout value for re-login when ek_ecom_ComplianceMode is enabled?
The key looks like this in the siteroot\web.config:

 
   

The timeout cannot be changed.  The reason is below.


Payment Card Industry Data Security Standard (PCI DSS) outlines requirements that payment applications must meet to be compliant. As per PCI DSS, a session is locked if it is idle for 15 minutes. The user must re-enter the password or log in again. So, as per the requirements of the PCI DSS, we cannot change the rule of compliance.

The site's Web.config file's ek_ecom_ComplianceMode element must be set to "true" to achieve and maintain PCI DSS certification.
As per PCI DSS, user accounts and passwords associated with CMS400.NET should be implemented as stated below. The term "user" refers to an Ektron administrator or anyone assigned the Commerce Admin role.

• Never allow the use of a group account
• Passwords must be changed at least every ninety days
• Passwords must be at least seven characters long
• Use numeric and alphabetic characters in passwords
• New passwords cannot match any of the last four passwords
• Lock accounts after six failed login attempts
• Lock out the account for at least thirty minutes or until the administrator unlocks it
• After 15 minutes of an account being idle, require a user to re-enter their log in information
• Remove all default users
Note: http://documentation.ektron.com/cms400/v80/eCommerceComplianceGuide.pdf
Section 2.2.8 in the above link provides additional details.

The relevant section is below.

2.2.8 After 15 Minutes of an account being idle, require the user to re-enter login Information

The information in this section relates to PCI DSS 8.5.15.

Ektron CMS400.NET has a password security feature that automatically logs an administrator or user with the Commerce Admin role out of the application after 15 minutes of inactivity. Inactivity is based on requests that are made to the server.

Admins are members of the administrators group. The Commerce Admin Role is described here.
http://documentation.ektron.com/cms400/v8.70/Reference/Web/Users/Defining_Roles.htm