Laserfiche WebLink
InfoSend Response — 12/29/2006 <br />REQUIREMENTS AND SCOPE OF WORK <br />A. General Requirements: EBPP <br />1. This requirement is met. The City will choose what it wants to call the EBPP application <br />and add a button /link to www.ci.santa- ana.ca.us to give customers access to it. Once <br />clicked, this link will take the customer to the EBPP portal that InfoSend will host. <br />2. This requirement is met. InfoSend will match the "look and feel" of the City's current site. <br />3. This requirement is met. InfoSend's technical team has reviewed the Section 508 <br />standards and they are already compatible with our EBPP programming methods. <br />4. This requirement is met. All information is confidential and protected. User passwords <br />are stored using a one -way hash and cannot be read by anybody. The application is <br />hosted by physical three -tier layer architecture. The presentation server, the application <br />server, and the database server are separated onto different physical networks. Users <br />can only connect to the presentation server over 128 -bit SSL in order to ensure that all <br />information passed from the customer to the application is encrypted. Anti -fraud features <br />such as Address Verification Service (AVS) and Credit Card Security Coding (CSC) are <br />used when payment transactions are processed. <br />Unauthorized users cannot access utility account data, bank account or credit card <br />numbers, or other payment information. The data that InfoSend transmits to its payment <br />processors is encrypted. Industry standard security methods safeguard data and <br />external site monitoring scans for open ports or other security issues. Proper access <br />control methods insure that internal users can only access the data relates to their job <br />functions. While InfoSend uses the Windows operating system for internal processing, <br />the EBPP application itself is hosted on Red Hat Enterprise servers. InfoSend elected to <br />use this operating system for its web hosting because independent studies have shown <br />it to have less critical security flaws than Windows has had over the years. <br />Physical facility security measures are in place to prevent unauthorized access to data. <br />Security cards /tokens are required to enter the building. Visitors must be signed in <br />before entering. All servers are centrally located and only authorized staff members can <br />access them. <br />The City can choose between many security options to protect customer data: <br />a. To enroll for the EBPP service customers can be forced to enter more than just <br />their account number (which is the basic requirement). The City can choose <br />additional data fields — like previous bill amount. <br />b. The City can choose to use security certificates on outgoing emails. This will <br />allow the customer to verify that the email came from the City's EBPP <br />application. <br />c. The City can choose to simply email its customers a link to the EBPP portal to <br />view the newest online bill, or it can email the bill itself. Encryption can be used to <br />ensure that the emails are only accessible by the customer who enrolled for the <br />service. <br />M <br />