Proper management of credit card information has always been
a concern taken seriously by calan.
The ever increasing utilization of the application has
heightened the concern that both you and calan take all reasonable business
steps to protect that information. As a result we have elected to take an
aggressive set of measures as to how we COLLECT, DISPERSE and ARCHIVE credit
card information.
First, we have a difficult business model to accommodate. In
discussions, all of you have indicated a reluctance to absorb the costs of a third
party payment firm. calan has no desire
to become a bank where we incur additional accounting costs and assume greater business
risks, that we would be forced to pass on to you in the form of higher
subscription rates. However we do want to improve our management of this
information.
Based on our research of PCI compliance requirements there
are three main areas of concern. The collection of the information and perhaps
even more important what happens with the information once it is collected with
respect to dispersal and archiving.
As this is clearly a sensitive and critical component of
successful customer service and internal business work flow we want you to be
aware of our migration plan and timing so you can manage your customer’s
expectations and internal teams. There is a timeline at the end of the three
initiatives we are undertaking for you review.
Here is how we will be addressing each of those three
critical components of information management:
1: How we COLLECT information
We have obtained an SSL certificate and created a secure
transaction page. When implemented, Users who select to pay by credit card on
the Payment Selection screen will receive a pop-up that they are being redirected
to a secure site. They will be given an option to decline. If they so choose,
they will be returned to the Payment Selection screen where they can select and
alternative payment type.
Once on the SSL credit card entry
screen the User will be informed of the following:
The credit card information will be emailed to your Program Manager and
then deleted.
Should you need to update your information
please contact:
< Name of G2S Program Manger
of the G2S URL inserted >
< Phone of G2S Program Manger
of the G2S URL inserted >
< Email of G2S Program Manger
of the G2S URL inserted >
Should you wish to cancel select
the “X” in the upper right corner to close this secure pop-up.
Note:
All credit card information will be required to click Submit.
The User can not Submit without making appropriate entries.
We DO NOT validate the card.
On Cancel by the User (Should they exit out of the SSL Pop-up without selecting
Submit)
calan will purge any credit card information entered and
return the User to the Payment Selection screen. The User may select an
alternative payment type.
On Submit by the User
The User is provided a POP-UP.
You are leaving the SSL secured
environment.
You will be returned to the Payment
Selection Screen where you can change you Payment Type if you wish.
When you select NEXT on the Payment
screen your information will be sent to your Program Manger and deleted.
calan will accept the credit card information entered for use in an email.
When the User is
clicks NEXT from the Payment Screen a confirming alert statement appears:
Your credit card information has
been emailed to your Program Manager and deleted.
The credit card information for
this order can no longer be edited.
If you canceled your credit card
entry, please select Cancel below and choose another payment type from the
Payment screen drop down.
Select OK to continue with your
order.
When the User clicks NEXT from the payment screen, the
information will be sent in an email to the designated < email of G2S
Program Manger of the G2S URL > and purged from our servers.
A User returning to the Payment
Screen in Edit mode will see the following:
The credit card information previously entered
is on file.
Should
you need to update your credit card information or change the payment type
selection please contact:
< Name of G2S Program Manger
of the G2S URL inserted >
< Phone of G2S Program Manger
of the G2S URL inserted >
< Email of G2S Program Manger
of the G2S URL inserted >
2. How we DISPERSE information
collected
The information collected is immediately sent in an email to the email alias of your
designated Program Manager for the G2S URL when the User clicks Submit on our
SSL credit card collection screen.
The credit card information collected is not written to any
other screen or report.
In all cases where the information might be expected to
appear there is an insert:
Credit Card on File with:
<
Name of G2S URL Program Manager >
<
Phone of G2S URL Program Manager >
< Email of G2S URL Program
Manager >
calan no longer retains any credit card information on
our servers.
3. How we ARCHIVE the information
collected
calan does not retain any credit card information on
the system servers or the email servers used to send the information to your
G2S Program manager; except for the few seconds that the information is on our
servers as the automated email is built and sent, calan does not hold the
information in any form outside of our SSL collection environment. Your Program
Manager is the only individual in possession of this information.
To support the cut over to our new procedures we have
built a report that will allow you to capture your entire history of credit
card activity, should you choose to do so. Please contact us at support@calancom.com to confirm if you
want this data and to arrange for a transfer of existing records. The timeline
at the end of this document indicates our PURGE date.
4. What you should consider:
calan has passed the information
to a single email alias for your Program Manager. Once received the information
should be managed within your own protocols to ensure that the dispersal of the
information is restricted to an identified set of individuals and that any
archiving of the information is done in an encrypted environment.
Printed copies should be strictly
limited, restricted in distribution and destroyed when no longer required.
Should you need to contact your customer regarding the card
for any reason the Project Summary will identify who entered the request and
provide their contact information?
As noted above the external User placing the order is
provided your Program Manager’s contact information should they need to contact
you with respect to the credit card information or any other issues pertaining
to the selected payment type for their order.
Deployment Timeline:
|
Date
|
|
Step Taken
|
|
May 8
|
|
Go2Show
SSL initiative advisory released.
Please
begin any communication efforts you feel appropriate to your customers and
internal employees.
|
|
May 15
|
|
Cut over
to SSL credit card collection process implemented
Note: For the first week, ending on May 21, the immediate delete of the
information collected will NOT be executed,
This is to allow for your validation of the process and accommodate any
internal adjustments to your internal work flow.
|
|
May 23
|
|
Immediate
delete of collected information from calan servers implemented.
Individual
Site data purges begin. History reports available if requested.
|
|
May 31
|
|
All credit card history for all
sites will be purged from calan servers.
|
