Click2Gov for CX User Registration Process

DB2, SecureWay, and AS400 are ® Registered Trademarks of IBM Corporation.

Windows, Windows NT, Windows 2000 and IIS (Internet Information Server) are ® Registered Trademarks of Microsoft Corporation.

One of the primary goals of Click2Gov for CX is to encourage end users to automatically pay their utility accounts via the online interface.  In the long run, this will provide the best cost benefit to the utility by reducing both billing and collection costs.  Toward this end, Click2Gov must collect and securely maintain payment media information (credit card numbers, etc.) for the end users.  To accomplish this, Click2Gov utilizes an account access methodology similar to those typically used on the Internet.  This document will explain the Click2Gov for CX User Registration Process.   For more information on the maintenance of the PINs (Personal Identification Numbers) created by this process please read the on-line support document Click2Gov for CX PIN Maintenance.

When Click2Gov is first installed, a utility from the Click2Gov Console is run that generates Initial PINs (Personal Identification Numbers) for ALL accounts in the clients CX database.  Two flags are also set on each account:

For more information on PIN Generation, please read the on-line support document Click2Gov for CX PIN Maintenance.

The next step is to distribute these Initial PINs to the end users.  While Sungard Public Sector will provide some assistance in this process, it is primarily the client's responsibility.  Some possible methods of distribution include:

Keep in mind that only one customer can register for each account number (LID/CID) in your system.  This means that should malicious third parties obtain the initial PINs and register for the accounts, they would effectively block the legitimate user from access.  The benefit to this is that the once the intruder has blocked the account by registering it, the legitimate user will not be able to register and supply payment media information.  If the legitimate user registers his account first, it is blocked from a potential user. The worst thing that could happen, as stated above, is that a malicious party could block the accounts of your customers if they came into possession of the initial PINs.  This explains the recommendations above for verification of account ownership, no automated email responses and no inclusions on postcard bills.

No payment media information is displayed in Click2Gov after it is first inserted with the exception of the last four digits of the credit card number (which is the highest common legal requirement in effect).  No payment media information is stored on the web server.  This is all stored on the Sungard Public Sector application server with all the file level security that the AS400 provides.  Therefore, even if a third party was able to access a customer's account, the worst thing they could do is pay the customer's account using the customer's credit card (they could not use the credit card for any other account or any other purpose) and view the customer's account history.  This minor infraction would not be due to weaknesses in the Account Registration Process, but either because the customer intentionally or unintentionally gave out their PIN after they registered or because a third party took the time and effort to try the 60 million plus possible PIN combinations.

When a user signs-in, first the LID and CID that make up an end user's account number are compared to the PIN in Click2Gov. 

If they match, the "Has this PIN been changed by the user?", [Initialized] flag is checked.  On their first sign-in this will be "No" so they are redirected to a page for account registration.

As you can see, this page requires the end user to change their password, supply a reminder to it and provide a valid email address.  The email address is really the goal here.  By validating the email address (in the next step) we are assured that we have a means of direct communication should a payment transaction fail and a means of tracing the individual in the case of malicious behavior (this is more a deterrent than an actual remedy).   At this point the customer account flags have been set to:

Once the user submits this information, a thank you screen is displayed, the "Has this PIN been changed by the user?" is changed to "Yes" (as noted above) and an email is sent to the address provided.  This email contains a link to a special page where the end user's account can be enabled.

The link in this email is provided as a complete URL so as not to exclude users that utilize text only email readers.  In this case, the URL can be copied or typed into a browser address line.

When the end user goes to the link specified in the email, the following web page is displayed:

Once they type in their account number and the new PIN they have selected in the previous step, Click2Gov knows that the email address they provided is correct since, if the email address was invalid, the user would never have gotten the link for this page.  With the email address validated, Click2Gov enables the end user's account.  The account flags now look like this:

After this has taken place, the user is redirected to the real login page, where they can login and use their account. 

This completes the account registration process.