Security Settings

Source:

Published:

Keywords: Security Settings, PCI Compliance, DMARC, SPF, DKIM, Google Analytics, CKeditor

Document ID: https://platform-support.certain.com/hc/en-us/articles/30505716890135#split1

Account Settings

These Account Settings security options apply only to users in the account who do not have permission to view full credit card numbers.

PCI Compliance standards require users that have permission to view full credit card numbers to have a session timeout of 15 minutes and password expiration of 90 days.

Session Timeout

Select 8 hours, 4 hours (the default), or 15 minutes.

When the specified timeout is reached, the user must re-enter their password to re-activate their session.

Expire user passwords after

Select 90 days (the default), 180 days, 365 days, or Never.

> Note: A user's password expires after that number of days, regardless of when they last logged in.

Mask date of birth field?

Select this check-box to mask the date of birth (similar to how a password field is usually masked).

Security Settings

If either Full CC Number Access option is selected at the account level (), and the user has both of those options off at the event level (), then that user’s security settings are determined by these Account Settings.

If either Full CC Number Access option is selected at the account level (), and the user has either of those option on at the event level (), then that user's security settings are determined by PCI Compliance standards.

The value of these options at the event level does not affect the user’s security settings ().

Best Practices

The session timeout and password expiration options required by PCI Compliance are very restrictive.

These options will be cumbersome to most users.

Therefore, unless access to the Full CC Numbers is absolutely required, the account Administrator should turn off the Financial and/or Accommodation modules.

Turning off the Financial and/or Accommodation modules enables these Account Setting options to be utilized.

Other Settings

Set Email FROM value to

Select the email address you wish to use for sending emails from Certain.

The email address will be listed as the From: address on all emails.

Use event-information@certain.com

If selected, all emails will be sent from the email address "event-information@certain.com".

Registrants will not be able to respond to this email address.

Use Event Registration Contact

If selected, all emails will be sent from the email address of the registration contact for the event.

The registration contact is set up under .

Registrants will be able to reply to this email address.

> NOTE: When you send email to registrants, the From and To fields saved on the take precedence over the choice on this Security Settings page (and over the information in the event.)

> CAUTION: If you select the second option, Use Event Registration Contact, emails sent from your domain through Certain may be rejected or marked as spam by recipient mail servers that enforce DMARC.

To pass DMARC checks for email sent from your domain through Certain, you will need to set up Sender Authentication.

This involves adding three (3) DNS records to your FROM domain so that messages Certain sends on your behalf are properly aligned for SPF, DKIM, and DMARC.

How to set up Sender Authentication:

1. Email help@certain.com and let us know the FROM address domain (or domains) you plan to use.

2. Our Support team will generate the three DNS records specific to your domain and send them back to you.

3. Add the provided records to your domain's DNS configuration.

4. Once the records have propagated, email sent from Certain using a FROM address on that domain will pass DMARC at the recipient.

Email whitelisting / IP allow-listing

If your IT team needs to add Certain's outbound mail servers to an allow list (rather than, or in addition to, configuring Sender Authentication), email help@certain.com.

Certain will provide the current IP addresses for Certain's email servers.

For more information on DMARC, SPF, and DKIM, see and .

Restrict Email generation to Event Builder and above

If selected, then only Event Builders, Administrators, and System Masters will be able to send emails.

Example send locations include .

Other examples include sending via Mass Actions on report results, etc.

Default value = not selected.

Any user can send email when the setting is not selected.

Certain Google Analytics

If selected, then Google Analytics code is included on websites and forms.

A Google Analytics Tracking ID must be specified on the relevant setup page(s).

The setup page(s) include:

You can clear this check box to exclude Google Analytics.

Default = selected.

Google Analytics code is included on websites and registration forms, etc.

For full details of setting up Google Analytics in Certain, see this .

Show Default Statuses

If selected, then the 11 Registration Statuses included as defaults in Certain are available for use in events.

Default statuses are:

You can clear this check box to hide all default statuses.

When default statuses are hidden, all events in the account can use only the custom registration statuses added on .

Default = selected.

All default Registration Statuses are available for use.

> Caution: If this check box is cleared, then be sure to always have custom registration statuses set up in every event.

The status is a required field on registrations.

Enable CKeditor

If selected, as it is by default, then pages in which you can enter and edit HTML text (such as Promote > Communication > ) include an Enable Editor? check box.

Selecting Enable Editor? adds this third-party editor to the page.

You can clear this check box to remove the option to display the editor on those pages.

Clearing this check box leaves just a plain text box.

The plain text box allows entry of plain text or HTML.

The plain text box also allows pasting HTML text from an external editor.