How central stations receive and act upon changes to subscriber information

Alarm installing companies rely upon wholesale central stations to provide monitoring services.  Although there are still some installing companies around who monitoring their own accounts, unless the alarm company is large it isn't going to have enough accounts to justify the cost of the operation and the time that will have to be devoted.  It makes more sense to find a wholesale central station to work with.  So in the typical situation there will be the installing alarm company, the subsciber and the central station. 

    The central station will have a contract with the installer.  It will also want a contract with the installer's subscriber.  Some central stations take the position that the installer is their customer, not the subscriber, and do not require a direct contract with the subscriber. [a mistake, but not today's topic].

    Central stations have their own forum to discuss matters of interest to them, and recently an issue came up that I thought would be of interest to everyone in the alarm industry, installers and central stations alike.  The question is, once a central station sets up the account with the subscribers information, including passwords, codes, who knows what else, who should the central station take instructions from to make changes and in what mode of communication.  This issue comes up more than you may think.  Here are just a few instances where the issue arises:

* alarm system put on test

* change in password

* change in opening and closing times

* change in who is authorized to have entry [common in domestic disputes]

* change in response protocol

    Can the central station take instruction from the installer?  the subscriber?  verbally or only in writing?  will email suffice?  Here is how some of the central stations responded to the question.  Since these comments were on another forum I have omitted their names and companies in this email, except for David Steward, who gave his permission to circulate his question.  In addition to his question he has the final comment below.  Thanks Dave.

***********

To all:

How has everyone handled requests that come in from phone calls or emails to

add or delete user passcodes from their systems? What requirements do you have to have?    

David Steward

Comtronics Alarm Center Mgr

www.comtronics.com

************

Responses:

******

    If the user is authorized on the account to make changes, and/or is

verified, the changes are made and an update is routed back to the

person of record on the account and/or to the dealer if specified.

    Not authorized or verifiable - the request is routed to the dealer first

and no changes are made until the dealer ok's it.

    It's sometimes a double-edge sword - we're in the security

business....but we're also in the customer service business.

JM

*************

    In order for our data entry dept to change a C.S. pass code or user (keypad) code, it MUST include a valid C.S. pass code.  We must receive it in writing by either fax or email and NEVER by phone.  Without a valid pass code, how do you know if an individual has authority to do anything to one of your subscriber's database.

JH

********

    We do not accept phone changes to the password.  The caller is told that we must receive the request via email, fax or US mail.  No one other than the person that executed the contract can change the password of another person.

    The caller can change their password, though.  The correspondence they send must contain their full name, current password, new password, etc.  We then scan and keep on file the written change order for the future.

DM

***********

    Looking at some of the responses to this question, I would like to say I hope that the email requests are handled through a secure website

submission or encrypted email.  It would be very easy for someone to

capture these email requests and see the requestor's password and all

other information that is exchanged in an unsecured email.  Most people

are not aware, typically the sender, how easily the information can be

captured and saved.

    In my past days of running a central, an authorized user with the proper authority and password, we would do it over the phone, by mail, or by

fax.  That user was authorized to cancel an alarm over the phone, so why

not make changes?

Best Regards,

SK

***********

    Without commenting on which methods of updating user pass codes are acceptable and which are not, I have to disagree with Stephen's statement

that "It would be very easy for someone to capture these email requests and

see the requestor's password and all other information that is exchanged in

an unsecured email".

    Only the ISP or the company running the email server would be in a position to do this. If anyone else wanted to do it, they would have to compromise either the sender's computer, the ISP or the email server. Not a simple task.

    It is a misconception that unencrypted traffic on the Internet is easily

visible for all to see.

    If your Dealers or Customers are sending through a Gmail email account, it's possible for a Google employee to look at the mail. It's up to each

individual Central to decide if that risk is acceptable when updating pass codes.

SN

*********

    I think that there are a couple of factors that should perhaps come into the consideration of the policy.

    First whose customer is the subscriber?  If you are an exclusive third party central station as ACS is.  The subscriber is the customer of your dealer

client.  That is unless you as a third party have a direct contractual

relationship with the subscriber. 

    If the subscriber is not the customer of the central station but of the

dealer - all permanent changes should come in written form from the owning

dealer. If the subscriber is contracted with the central station directly,

an authorized representative of the subscriber must provide the permanent

change in writing.

    Written instructions must be of a formal nature and not a scribbled note. The instructions must state in sufficient detail what is desired so as to

not contribute to confusion - no assumption of what is intended.  The

instruction must indicate specifically who initiates the instruction and be

signed.

    Central Stations would be wise to create a form specifically for changes.

    If there are changes that will be permanent but by their nature must be enacted immediately before written instructions can be supplied, take the

instructions as a temporary change with a time line to be in effect(should

not exceed 1 to 2 weeks.)  Accept these over the phone with pass code from

an authorized subscriber representative. When written instructions come from

the authorized source - make the change permanent.

    When change are requested in relation to some type of litigation (divorce, restraining warrant or separation of principals of an organization) seek to get the instruction as to the action from Attorneys or other legal authority

JE

*********

Ken

    I should have phrased my question differently. I already knew the obvious answers. Don't do anything without an email/fax and have it include name, current passcode, desired passcode. But we get some requests saying "I've just been put in charge of our alarm system and I need to make some passcode changes", or those that have been in charge who keep calling to make changes and do not expect you to make them email/fax because they know the owner of our company and have never had to do this before! We do not like those people... We're in need of a statement that we can send them that says why we require things in writing, delicately. Anything you could mention in these regards will be appreciated.

Thanks    

David Steward

Comtronics Alarm Center Mgr

********