1. Securing B2C Service
  2. How You Secure Access to B2C Service

How You Secure Access to B2C Service

There are multiple methods available to access B2C Service, like the Customer Portal, integration frameworks, and the Service Console. Each of these methods should include defining who will have access, as well as determining how the connection and the in-transit data are protected.

Restricting Host Access

Restricting access to a customer site can help reduce opportunities for unauthorized access. You can define the hosts that can and cannot access a site with the Customer Portal SEC_VALID_ENDUSER_HOSTS, SEC_VALID_ADMIN_HOSTS, and SEC_VALID_INTEG_HOSTS configuration settings. See the B2C Service documentation Oracle B2C Service Secure page for more information.

Establishing Credentials

In PCI and HIPAA environments, users must have unique identifiers and complex passwords. While B2C Service customers control their own password complexity, requirements specified by the PCI DSS are expected in a PCI environment and are a good rule of thumb for all other environments.

These are the current minimum requirements for passwords in a compliant environment:

  • They must have a minimum length of at least seven (7) characters.

  • They must contain both numeric and alphabetic characters.

  • They must be forced to change periodically.

  • They cannot be the same as the previous four (4) passwords.

  • They must provide a temporary lock-out after six (6) invalid attempts.

By default, B2C Service enforces most of these minimum requirements, and in some cases enforces stricter minimums. We provide the ability for you to configure the settings in a PCI-compliant matter. You are responsible for documenting your settings and supplying guidance to your users on circumstances under which passwords should be changed (for example, when there is suspicion that a password has been compromised).

You can find instructions for setting these configurations in Configure Staff-Member Passwords.

Additionally, access to any public-facing interface is encrypted by default, but you should also consider using the SESSION_HARD_TIMEOUT and CLIENT_SESSION_EXP configuration settings. These control agent and staff member re-authentication time limits.

Setting Data-Management Policies

You should align your data-management policies to your business policies. For example, you can determine how long closed incidents remain in the database and how long archived incidents remain in the archive. The control settings for these are ARCHIVE_INCIDENTS and PURGE_ARCHIVED_INCIDENTS. You can find more information about these at Answer ID 7105.

Enforcing a Secure Protocol

Customers who deploy Customer Portal can also determine which pages and widgets require authentication by end-users. As a best practice, enforce a secure protocol when transmitting login credentials. The CP_FORCE_PASSWORDS_OVER_HTTPS configuration setting enables passwords to be sent over an encrypted connection. This customer-facing configuration helps protect users from malicious activity like password theft, profile hijacking, or eavesdropping of non-public data. It enables an encrypted connection during both the login process and all subsequent operations by logged in users.

When using CP_FORCE_PASSWORDS_OVER_HTTPS with custom login pages and/or input widgets on the Customer Portal, communication will need to be directed over HTTPS. To do this, incorporate the page meta tag force_https.

If you choose not to require passwords for end-users, it is still possible to enforce HTTPS with the SEC_END_USER_HTTPS configuration setting. This same setting forces HTTPS for Chat sessions and affects the absolute URLs generated in outgoing email messages. You should work with your account manager or technical support to change this setting. Be careful, because you could break your instance if it is not set up properly at the Web server to accept SSL. For customers with a vanity URL, exercise caution when changing this setting. Reference the SEC_END_USER_HTTPS configuration setting when contacting B2C Service Technical Support.

Securing Connectivity

You can access B2C Service from nearly anywhere. Since B2C Service is accessible from the internet, consider the typical precautions when connecting to it. You should have the proper encryption, antivirus, and network rules implemented per your own security policies. PCI DSS and HIPAA frameworks require that all connectivity must be made using an encrypted connection. Both PCI DSS V3.2 and NIST strongly recommend no less than TLS 1.2 be used to provide secure transmission of sensitive data.