<< Click to Display Table of Contents >>

User Management Security for Administrator Users

The following will explain in detail Custom Vantage Office Security settings to conform to the Mercury PCI Compliance Checklist. There are requirements in this section that Administrator users should setup, although Custom Vantage Office has put default settings, it is recommended that it must be checked and set to at least the default settings as shown in the screenshot below or better.  These are all required when Mercury Integration option is enabled in the Company Preference form.


The following setup can be accessed from System menu > Security Policy.



When editing any of the options in the Security Policy (by clicking the ellipse button), a separate form will open as shown below to edit the value. 


Policy Group: Password Policy

Passwords must be changed at least every 90 days – Not more than 90 days but less is ok.



If 90 days is set as maximum password age, then when password’s age reaches 91 days, from the time the password was changed, then the Password expired message will be shown.


Example:  Jan. 1, 2010 was the last time user’s password was changed, on the 91st day, i.e. April 1, 2010 (counting starts from the day the password was changed), the Password expired message will be shown.



Passwords must be at least seven characters – Not less than 7 characters but more is ok.
Passwords must contain at least one numeric character, one special character, one upper case letter and one lower case letter - All options must be enabled.



Passwords to be accepted must comply with the above requirements.  If it fails, the invalid password message will be shown.



Passwords must not be the same as the last four used – Not less than 4 passwords remembered but more is ok.



A history of user’s password is being tracked by Custom Vantage Office.  In this security policy, if Enforce password history is set to 4, then it will not allow you to submit a new password that is the same as any of the last 4 passwords.  Say you have entered a new password the same as any of the last 4 passwords, this message will be shown.



Policy Group: Account Lockout Policy

Account lockout Duration – Not less than 30 minutes but more is ok.
Account lockout threshold – Not more than 6 but less is ok.



Maximum login attempt is up to 6 times, however Custom Vantage Office defaults it to 3.  If 3 is set in the Account lockout threshold and 30 minutes is set in the Account lockout duration, then failure to login three times in a row will result in the account being locked out for 30 minutes or until unlocked by another administrator.


This message will be shown when you failed to login three times in a row.  And the 30 minutes locked out is based on the default setting in Security Policy form > Account Lockout duration.



When you tried to login using the same user within 30 minutes, this message will be shown letting you know the actual remaining time of locked out.



The administrator though has the ability to unlock the said user from being locked out.  Here is how to do it.


Administrator must login and uncheck the User is Disabled option in the User Security form of the said user.



Require login if user account is idle – Not more than 15 minutes but less is ok.



If 15 minutes is set in Require login if user account is idle field, after a user idle time of 15 minutes, the password must be re-entered.


Custom Vantage Office login form will prompt once the user becomes idle for a period of time.