AccessPay

Payments and Cash Management Automation Software

The AccessPay platform enables organisations to securely connect their back-office systems (ERP, Treasury Management System, Payroll System) to UK (Bacs, Faster Payments, CHAPS) and International (SWIFT, SEPA) payment schemes. Enhanced workflows and role based profiles mean that payment approval and submission can be controlled centrally and processes enforced.

Features

  • Bacs Approved Payments Software
  • Direct Debit Collections
  • Bacs Approved Bureau Software
  • Secure Integration
  • Multi-bank connectivity
  • International Payments
  • Secure Access
  • Enhanced Workflows
  • Automated bank statement retreival & visualisation
  • Reporting & Alerting

Benefits

  • Automated payments direct to scheme
  • Easily manage high volumes of direct debits
  • Easy, centralized management of local government payroll
  • Remove risks of fraud associated with manually processing payment files
  • Remove complexity associated with generating bank compatible payment files.
  • Centralise and control cross-border payments
  • Only approved staff are able to access critical payment data
  • Systemic enforcement of processes and control
  • Fast access to cash position data across your banking estate
  • Receive alerts notifying you of significant cash movements

Pricing

£1,200 a licence a year

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at charles.haworth@accesspay.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

1 1 1 3 3 5 3 4 5 4 4 9 1 3 3

Contact

AccessPay Charles Haworth
Telephone: +44 (0) 161 250 7778
Email: charles.haworth@accesspay.com

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
ERP, CRM, Payroll and Treasury Management Systems.
Cloud deployment model
Public cloud
Service constraints
N/A
System requirements
Modern Browser - Chrome, Edge, Firefox, Safari, etc..

User support

Email or online ticketing support
Email or online ticketing
Support response times
We have a 15 min SLA to respond to new queries
SLA's for tickets are tiered according to severity and business impact.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
There is a live chat widget embedded in the platform that allows users to open a live chat window.
Through the live chat window users are able to start a live chat with an AccessPay support representative to ask questions or start a support ticket, raise a support ticket directly or speak with a representative about upgrading their account and adding extra features.
Web chat accessibility testing
N/A
Onsite support
No
Support levels
AccessPay service hours are Mon-Fri 08:00 - 18:00 with extended hours to 22:30 for Priority 1 incidents.

Support incidents are assessed and categorised against standard levels, which as follows;

P1 Urgent: Incident resulting in entire production system being down with critical or major business impact.
P2 High: Incident resulting in inability to complete specific processing, with no viable workaround.
P3 Medium: Incident resulting in inability to complete specific processing, but a workaround does exist to allow said processing to complete.
P4 Low: Cosmetic or minor issue, minor or no business impact.

Target Resolution Times are as follows;

P1 - Urgent: Response SLA - 15 mins | Target Resolution: 2 hours | Escalation to Management: Immediate | Escalation to CTO: Immediate | Update Frequency: 30 mins

P2 - High: Response SLA - 30 mins | Target Resolution: 4 hours | Escalation to Management: 1 hour | Escalation to CTO: 2 hours | Update Frequency: 1 hour

P3 - Medium: Response SLA - 1 hour | Target Resolution: 24 hours | Escalation to Management: 4 hours | Update Frequency: 2 hours

P4 - Low: Response SLA - 1 working day | Target Resolution: 5 working days | Escalation to Management: 4 days
Support available to third parties
No

Onboarding and offboarding

Getting started
Every new AccessPay client is given a dedicated implementation consultant to guide them through the onboarding process. The onboarding process itself consists of three milestones;

1. Discovery - Define roles and responsibilities (Client, AccessPay, Bank), establish governance, collect data and sample files.

2. Build - Complete file transformations, Set-up users, Configure workflows, Set-up file configuration.

3. Test and Go-live - File testing with banks and connectivity testing, Training (on-site or webinar), Client UAT with bank(s), Client penetration testing

Typical project governance and communication cadence;

- Weekly progress call
- Weekly progress reports
- Increased frequency of calls and updates during testing and go-live
- Full handover to live
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
In the event that a client cancels their contract the data will be securely erased. If a copy of the data is required this will be in .CSV format and will not be chargeable unless otherwise described in the clients contract.
End-of-contract process
Customers that wish to cancel their subscription with AccessPay must do so in writing 30 days before the annual renewal date. The request to cancel can be made to either of the Service Desk, our Finance team or directly with your Customer Success or Account Manager. Once acceptance of the request to cancel has been confirmed by AccessPay, removal of access for all client users will be initiated at a date agreed by both parties. Requests to extract data will not be chargeable unless otherwise described in the clients contract. AccessPay will reply to the data export request as per GDPR and will answer the client request within 30 days of receipt.

Using the service

Web browser interface
Yes
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
AccessPay is a reactive browser based solution.
When accessing the platform website through a mobile device users are limited to the dashboard and the approval function.
Service interface
No
User support accessibility
None or don’t know
API
Yes
What users can and can't do using the API
The AccessPay External Web API supports server-to-server interactions such as those between an ERP system and an AccessPay service.
All Schemes (Bacs, FPS, Swift and Host-to-Host) are supported.

The AccessPay Open API supports payment initiation, either through bulk files or via single or bulk submission in a JSON payload, as well as updates on payment statuses.
It also allows for access to balance and transaction information from underlying banks and collection of reports from the BACS scheme.
API documentation
Yes
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
The AccessPay platform can be customised in the following ways;

Payments Automation (UK and International Payment Schemes);
- Role based profiles
- Workflow rules that segregate user duties within the software (create workflows by payment type, eg payroll and by area, eg Schools payroll with designated submitters and approvers in each).

Cash Management Automation;
- View cash balances by currency, region, division, bank, or any grouping determined by you.

In each instance it is the Administrative users who have the ability to add and remove users, create new workflows and alter role profiles.

Scaling

Independence of resources
AccessPay aim to provide a service level availability of up to 99.5% for the service hours of your support contract .

Analytics

Service usage metrics
Yes
Metrics types
AccessPay provide the following metrics as part of our customer success progamme;

- Active users
- Transaction volume and value throughput reports
- Usage reports
- Service availability reports
- Incident management performance
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users with the appropriate permissions can download uploaded transaction files from the AccessPay portal once logged in.
Through the Audit function users are also able to run and export audit reports such as File Journey, User Access Monitoring, User Permissions, Admin Changes and a full Transaction report.
Data export formats
  • CSV
  • Other
Other data export formats
XSLX
Data import formats
  • CSV
  • Other
Other data import formats
  • ISO 20022 - Pain.001
  • ISO 20022 - Pain.008
  • BACS Standard 18
  • Excel

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
AccessPay aim to provide a service level availability of up to 99.5% for the service hours of your support contract (see Section 2 Service Hours), with the exception of:
• Agreed routine maintenance windows
• Scheduled downtime
• Disruption / outages beyond the control of ACCESSPAY Systems
Service availability is calculated monthly using our automated monitoring.
Approach to resilience
Available on request.
Outage reporting
In the event of service outage, AccessPay will notify the clients stated business and technical contacts via email at the intervals outlined below according to the incident priority levels;

P1 - Urgent: Every 30 mins
P2 - High: Every 1 hour
P3 - Medium: Every 2 hours
P4 - Low: Daily

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
AccessPay operates RBAC based on the principle of least privilege and requires permissions from clients in some cases to get access to their data for support purposes. Access to systems is monitored and recorded for audit and monitoring purposes.
Users have clear role separations in the AccessPay solution and only approved users can contact AccessPay for support.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
British Assessment Bureau
ISO/IEC 27001 accreditation date
18/09/2013
What the ISO/IEC 27001 doesn’t cover
Not Applicable
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
ECSC
PCI DSS accreditation date
31/08/2020
What the PCI DSS doesn’t cover
PCI DSS Level 1 compliant
Cyber essentials
Yes
Cyber essentials plus
Yes
Other security certifications
Yes
Any other security certifications
  • ISO BCM 22301
  • SWIFT Approved software provider
  • BACS/FPS approved software provider

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
Information security policies and processes
ISO 27001
ISO 22301
NIST security framework as base

Access Control Policy
Asset Management Policy
Data Protection Policy
Password Policy
Incident Management Policy
Vulnerability Management Policy

Internal and external regular audits, policies review, regular reporting to senior management and IMS committee

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
All changes to our applications are tracked through JIRA, with those tickets retained and tagged for future reference relative to releases. Use of source control (Git) and pull requests that require approval from another developer provide opportunity for code and security review.
Static analysis is performed against all builds before reaching any environment, checking against OWASP Top 10, SANS Top 25, Common Weakness Enumeration: CWE, and SonarQube’s own security rules.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Threats are assessed using CVSS scoring and fixed based on the following score classifications;
Critical (CVSS 9+) < 2 Weeks
High (CVSS 7+) < 1 Month
Medium (CVSS 4+) < 3 Months
We collect information from several government and private agencies, for example new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) and National Vulnerability Database (NVD).
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Potential compromises/threats are identified using SIEM, vulnerability scanning, file integrity check, log monitoring, user activity monitoring and in-house-built application and system monitoring solutions which notifies abnormalities to our Security Team who react based on severity of the notification. Updates are provided hourly and most of the issues closed same day if no third party is involved.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
AccessPay users can notify AccessPay of incidents via our Customer Portal, email or telephone. Incidents are impact assessed and prioritized according to the following standards;

Priority Definition
P1 - Urgent Incident resulting in entire production system being down with critical or major business impact
P2 - High Incident resulting in inability to complete specific processing, with no viable workaround
P3 - Medium Incident resulting in inability to complete specific processing, but a workaround does exist to allow said processing to complete.
P4 - Low Cosmetic or minor issue, minor or no business impact

Reports are provided to named business contacts.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Social Value

Fighting climate change

Fighting climate change

n/a
Covid-19 recovery

Covid-19 recovery

n/a
Tackling economic inequality

Tackling economic inequality

n/a
Equal opportunity

Equal opportunity

1) We recognise that discrimination is unacceptable and although equality of opportunity has been a long standing feature of our employment practices and procedure, we have made the decision to adopt a formal equal opportunities policy. Breaches of the policy will lead to disciplinary proceedings and, if appropriate, disciplinary action.

2) The aim of the policy is to ensure no job applicant, employee or worker is discriminated against either directly or indirectly on the grounds of age, disability, gender reassignment, marriage and civil partnership, pregnancy or maternity, race, religion or belief, sex or sexual orientation.

3) We will ensure that the policy is circulated to any agencies responsible for our recruitment and a copy of the policy will be made available for all employees and made known to all applicants for employment.

4) The policy will be communicated to all private contractors reminding them of their responsibilities towards the equality of opportunity.

5) The policy will be implemented in accordance with the appropriate statutory requirements and full account will be taken of all available guidance and in particular any relevant Codes of Practice.

6) We will maintain a neutral working environment in which no employee or worker feels under threat or intimidated.
Wellbeing

Wellbeing

AccessPay has put steps into place to support our employee physical and mental health. We provide an Employee Assistance programme which provides a 24/7 helpline offering practical and emotional support on a range of topics. Through this programme, employees can also access up to 8 free face-to-face counselling sessions per topic, which includes Cognitive Behavioural Therapy (CBT). Alongside this, AccessPay have also trained 5 members of staff to become Mental Health First Aiders who are available to provide support to employee’s alongside HR and Line Managers.

AccessPay provides free gym membership to all employees who would like to take advantage of this. For those that don’t, there is a £20 monthly wellbeing allowance available for employees to use towards memberships or activities that aid their wellbeing. Employees of AccessPay are also provided access to a Health Cash Plan, allowing them to reclaim the cost of dental and optical checks, prescriptions, physiotherapy and a number of other health related costs.

Pricing

Price
£1,200 a licence a year
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at charles.haworth@accesspay.com. Tell them what format you need. It will help if you say what assistive technology you use.