When working with Optimizely Configured Commerce, there are number of options for controlling the specifics related to timeouts and passwords. Some of these options are configurable, while others are not. This article provides the necessary information to understand the options related to the Admin Console and Websites (Storefronts).
You will find these settings in the Admin Console under Administration > System > Settings. Search for Site Timeout Minutes to adjust the timeout period for website users, as you cannot modify the timeout period for Admin users due to PCI compliance implications. Search for Lockout Time in Minutes, if Lockout Enabled is set to Yes, under both the Console Security and Website Security sections.
To maintain compliance with PA-DSS, Configured Commerce controls the timeout periods for the website and Admin Console separately. These settings are built into the platform and are not configurable through the Admin Console.
Website Timeout Settings
By default, the website is set to timeout after 15 minutes of inactivity.
PA-DSS requires a timeout of 20 minutes or less, so if the client accepts credit card transactions, this should not be overridden.
Admin Console Timeout Settings
By default, after 12 minutes of inactivity, the user will receive a notification they will be logged out soon. After 15 minutes of inactivity, the Admin Console will timeout and log the user out of the console. It will then redirect the user to the login screen and once they sign in again, it will return them to where they left off.
Because some clients will not be taking credit cards as a form of payment and will instead rely on purchase orders, being able to adjust the time settings may be necessary. However, it is important to understand that changing timeout settings could possibly cause a site or environment to fall out of compliance with security standards such as PA-DSS.
You cannot modify the timeout period for Admin users due to PCI compliance implications.
Account Lockout Settings
User lockout is built into Identity Server, which is enabled by default. When enabled, Users who make five sequential failed login attempts will be locked out for a period of five minutes. After the five-minute period has expired, the User will have five more attempts to login. If those fail, the User will be locked out for an additional five minutes.
This cycle repeats until a successful login is made.
- Timeout is set to 15 minutes and is not configurable in order to maintain compliance with PA-DSS.
- Users who have the role ISC_Admin, ISC_System, or ISC_Integration, the password expires after 90 days (passwords for website users do not expire).
The password expiration is set in the code and is not configurable.