AccessPay

Payments and Cash Management Automation Software

The AccessPay platform enables organisations to securely connect their back-office systems (ERP, Treasury Management System, Payroll System) to UK (Bacs, Faster Payments, CHAPS) and International (SWIFT, SEPA) payment schemes. Enhanced workflows and role based profiles mean that payment approval and submission can be controlled centrally and processes enforced.

Features

• Bacs Approved Payments Software
• Direct Debit Collections
• Bacs Approved Bureau Software
• Secure Integration
• Multi-bank connectivity
• International Payments
• Secure Access
• Enhanced Workflows
• Automated bank statement retreival & visualisation
• Reporting & Alerting

Benefits

• Automated payments direct to scheme
• Easily manage high volumes of direct debits
• Easy, centralized management of local government payroll
• Remove risks of fraud associated with manually processing payment files
• Remove complexity associated with generating bank compatible payment files.
• Centralise and control cross-border payments
• Only approved staff are able to access critical payment data
• Systemic enforcement of processes and control
• Fast access to cash position data across your banking estate
• Receive alerts notifying you of significant cash movements

£1,200 a licence a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at charles.haworth@accesspay.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

111335345449133

Contact

Charles Haworth
+44 (0) 161 250 7778
charles.haworth@accesspay.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: ERP, CRM, Payroll and Treasury Management Systems.
• Cloud deployment model: Public cloud
• Service constraints: N/A
• System requirements: Modern Browser - Chrome, Edge, Firefox, Safari, etc..

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We have a 15 min SLA to respond to new queries; SLA's for tickets are tiered according to severity and business impact.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: There is a live chat widget embedded in the platform that allows users to open a live chat window. ; Through the live chat window users are able to start a live chat with an AccessPay support representative to ask questions or start a support ticket, raise a support ticket directly or speak with a representative about upgrading their account and adding extra features.
• Web chat accessibility testing: N/A
• Onsite support: No
• Support levels: AccessPay service hours are Mon-Fri 08:00 - 18:00 with extended hours to 22:30 for Priority 1 incidents.; ; Support incidents are assessed and categorised against standard levels, which as follows;; ; P1 Urgent: Incident resulting in entire production system being down with critical or major business impact.; P2 High: Incident resulting in inability to complete specific processing, with no viable workaround.; P3 Medium: Incident resulting in inability to complete specific processing, but a workaround does exist to allow said processing to complete.; P4 Low: Cosmetic or minor issue, minor or no business impact.; ; Target Resolution Times are as follows;; ; P1 - Urgent: Response SLA - 15 mins | Target Resolution: 2 hours | Escalation to Management: Immediate | Escalation to CTO: Immediate | Update Frequency: 30 mins; ; P2 - High: Response SLA - 30 mins | Target Resolution: 4 hours | Escalation to Management: 1 hour | Escalation to CTO: 2 hours | Update Frequency: 1 hour; ; P3 - Medium: Response SLA - 1 hour | Target Resolution: 24 hours | Escalation to Management: 4 hours | Update Frequency: 2 hours; ; P4 - Low: Response SLA - 1 working day | Target Resolution: 5 working days | Escalation to Management: 4 days
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Every new AccessPay client is given a dedicated implementation consultant to guide them through the onboarding process. The onboarding process itself consists of three milestones;; ; 1. Discovery - Define roles and responsibilities (Client, AccessPay, Bank), establish governance, collect data and sample files.; ; 2. Build - Complete file transformations, Set-up users, Configure workflows, Set-up file configuration.; ; 3. Test and Go-live - File testing with banks and connectivity testing, Training (on-site or webinar), Client UAT with bank(s), Client penetration testing; ; Typical project governance and communication cadence;; ; - Weekly progress call; - Weekly progress reports; - Increased frequency of calls and updates during testing and go-live; - Full handover to live
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: In the event that a client cancels their contract the data will be securely erased. If a copy of the data is required this will be in .CSV format and will not be chargeable unless otherwise described in the clients contract.
• End-of-contract process: Customers that wish to cancel their subscription with AccessPay must do so in writing 30 days before the annual renewal date. The request to cancel can be made to either of the Service Desk, our Finance team or directly with your Customer Success or Account Manager. Once acceptance of the request to cancel has been confirmed by AccessPay, removal of access for all client users will be initiated at a date agreed by both parties. Requests to extract data will not be chargeable unless otherwise described in the clients contract. AccessPay will reply to the data export request as per GDPR and will answer the client request within 30 days of receipt.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: AccessPay is a reactive browser based solution.; When accessing the platform website through a mobile device users are limited to the dashboard and the approval function.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: The AccessPay External Web API supports server-to-server interactions such as those between an ERP system and an AccessPay service.; All Schemes (Bacs, FPS, Swift and Host-to-Host) are supported.; ; The AccessPay Open API supports payment initiation, either through bulk files or via single or bulk submission in a JSON payload, as well as updates on payment statuses.; It also allows for access to balance and transaction information from underlying banks and collection of reports from the BACS scheme.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The AccessPay platform can be customised in the following ways;; ; Payments Automation (UK and International Payment Schemes);; - Role based profiles; - Workflow rules that segregate user duties within the software (create workflows by payment type, eg payroll and by area, eg Schools payroll with designated submitters and approvers in each).; ; Cash Management Automation;; - View cash balances by currency, region, division, bank, or any grouping determined by you.; ; In each instance it is the Administrative users who have the ability to add and remove users, create new workflows and alter role profiles.

Scaling

• Independence of resources: AccessPay aim to provide a service level availability of up to 99.5% for the service hours of your support contract .

Analytics

• Service usage metrics: Yes
• Metrics types: AccessPay provide the following metrics as part of our customer success progamme;; ; - Active users; - Transaction volume and value throughput reports; - Usage reports; - Service availability reports; - Incident management performance
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users with the appropriate permissions can download uploaded transaction files from the AccessPay portal once logged in.; Through the Audit function users are also able to run and export audit reports such as File Journey, User Access Monitoring, User Permissions, Admin Changes and a full Transaction report.
• Data export formats:
  • CSV
  • Other
• Other data export formats: XSLX
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • ISO 20022 - Pain.001
  • ISO 20022 - Pain.008
  • BACS Standard 18
  • Excel

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: AccessPay aim to provide a service level availability of up to 99.5% for the service hours of your support contract (see Section 2 Service Hours), with the exception of:; • Agreed routine maintenance windows; • Scheduled downtime; • Disruption / outages beyond the control of ACCESSPAY Systems; Service availability is calculated monthly using our automated monitoring.
• Approach to resilience: Available on request.
• Outage reporting: In the event of service outage, AccessPay will notify the clients stated business and technical contacts via email at the intervals outlined below according to the incident priority levels;; ; P1 - Urgent: Every 30 mins; P2 - High: Every 1 hour; P3 - Medium: Every 2 hours; P4 - Low: Daily

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: AccessPay operates RBAC based on the principle of least privilege and requires permissions from clients in some cases to get access to their data for support purposes. Access to systems is monitored and recorded for audit and monitoring purposes.; Users have clear role separations in the AccessPay solution and only approved users can contact AccessPay for support.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 18/09/2013
• What the ISO/IEC 27001 doesn’t cover: Not Applicable
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: ECSC
• PCI DSS accreditation date: 31/08/2020
• What the PCI DSS doesn’t cover: PCI DSS Level 1 compliant
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO BCM 22301
  • SWIFT Approved software provider
  • BACS/FPS approved software provider

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • CSA CCM version 3.0
  • ISO/IEC 27001
• Information security policies and processes: ISO 27001; ISO 22301; NIST security framework as base; ; Access Control Policy; Asset Management Policy; Data Protection Policy; Password Policy; Incident Management Policy; Vulnerability Management Policy; ; Internal and external regular audits, policies review, regular reporting to senior management and IMS committee

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: All changes to our applications are tracked through JIRA, with those tickets retained and tagged for future reference relative to releases. Use of source control (Git) and pull requests that require approval from another developer provide opportunity for code and security review.; Static analysis is performed against all builds before reaching any environment, checking against OWASP Top 10, SANS Top 25, Common Weakness Enumeration: CWE, and SonarQube’s own security rules.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Threats are assessed using CVSS scoring and fixed based on the following score classifications;; Critical (CVSS 9+) < 2 Weeks; High (CVSS 7+) < 1 Month; Medium (CVSS 4+) < 3 Months; We collect information from several government and private agencies, for example new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) and National Vulnerability Database (NVD).
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Potential compromises/threats are identified using SIEM, vulnerability scanning, file integrity check, log monitoring, user activity monitoring and in-house-built application and system monitoring solutions which notifies abnormalities to our Security Team who react based on severity of the notification. Updates are provided hourly and most of the issues closed same day if no third party is involved.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: AccessPay users can notify AccessPay of incidents via our Customer Portal, email or telephone. Incidents are impact assessed and prioritized according to the following standards;; ; Priority Definition; P1 - Urgent Incident resulting in entire production system being down with critical or major business impact; P2 - High Incident resulting in inability to complete specific processing, with no viable workaround; P3 - Medium Incident resulting in inability to complete specific processing, but a workaround does exist to allow said processing to complete.; P4 - Low Cosmetic or minor issue, minor or no business impact ; ; Reports are provided to named business contacts.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  n/a
• Covid-19 recovery:

  Covid-19 recovery

  n/a
• Tackling economic inequality:

  Tackling economic inequality

  n/a
• Equal opportunity:

  Equal opportunity

  1) We recognise that discrimination is unacceptable and although equality of opportunity has been a long standing feature of our employment practices and procedure, we have made the decision to adopt a formal equal opportunities policy. Breaches of the policy will lead to disciplinary proceedings and, if appropriate, disciplinary action.; ; 2) The aim of the policy is to ensure no job applicant, employee or worker is discriminated against either directly or indirectly on the grounds of age, disability, gender reassignment, marriage and civil partnership, pregnancy or maternity, race, religion or belief, sex or sexual orientation.; ; 3) We will ensure that the policy is circulated to any agencies responsible for our recruitment and a copy of the policy will be made available for all employees and made known to all applicants for employment.; ; 4) The policy will be communicated to all private contractors reminding them of their responsibilities towards the equality of opportunity.; ; 5) The policy will be implemented in accordance with the appropriate statutory requirements and full account will be taken of all available guidance and in particular any relevant Codes of Practice.; ; 6) We will maintain a neutral working environment in which no employee or worker feels under threat or intimidated.
• Wellbeing:

  Wellbeing

  AccessPay has put steps into place to support our employee physical and mental health. We provide an Employee Assistance programme which provides a 24/7 helpline offering practical and emotional support on a range of topics. Through this programme, employees can also access up to 8 free face-to-face counselling sessions per topic, which includes Cognitive Behavioural Therapy (CBT). Alongside this, AccessPay have also trained 5 members of staff to become Mental Health First Aiders who are available to provide support to employee’s alongside HR and Line Managers.; ; AccessPay provides free gym membership to all employees who would like to take advantage of this. For those that don’t, there is a £20 monthly wellbeing allowance available for employees to use towards memberships or activities that aid their wellbeing. Employees of AccessPay are also provided access to a Health Cash Plan, allowing them to reclaim the cost of dental and optical checks, prescriptions, physiotherapy and a number of other health related costs.

Pricing

• Price: £1,200 a licence a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at charles.haworth@accesspay.com. Tell them what format you need. It will help if you say what assistive technology you use.