Tech Mahindra Limited

Payments Platform - Target

Our payment solutions accommodate collection of regular or sporadic payments. Our offering facilitates Debit and Credit Card payments, Direct Debit mandates and Direct Credit transactions through BACS. Our system functionality integrates into online-portals, third-party services and contact centres. Our robust, scalable solution is hosted and supported across enterprise-class, high-availability infrastructure

Features

• Payment Solutions
• Debit and Credit Card, and DD payments solution
• Payments processing systems
• Customer online interaction anytime and via Point-of-Sale
• Standalone solution or integrated
• Integrate with contact centre and third-party providers
• Automated customer notification
• Bank account reconciliation
• Accredited by BACS
• Accredited ISO27001:2013

Benefits

• Payment Solutions
• Debit and Credit Card, and DD payments solution
• Payments processing systems
• Customer online interaction anytime and via Point-of-Sale
• Standalone solution or integrated
• Integrate with contact centre and third-party providers
• Automated customer notification
• Bank account reconciliation
• Accredited by BACS
• Accredited ISO27001:2013

£400.00 to £1,850.00 a user

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at MB00787638@techmahindra.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

126391548855253

Contact

Michael Blakemore
+44 7432452595
MB00787638@techmahindra.com

Service scope

• Service constraints: No constraints
• System requirements: Client to ensure the correct browser is in use

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Responses are provided within individual SLAs agreed with the client.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Yes, at an extra cost
• Web chat support availability: 24 hours, 7 days a week
• Web chat support accessibility standard: WCAG 2.1 AAA
• Web chat accessibility testing: Where web chat is required we will work with the client to determine which standards must be met.
• Onsite support: Onsite support
• Support levels: Target offer a 24/7 IT Service Desk as standard and are able to provide additional, value add services such as Technical Account Manager and dedicated technical resource on a case by case basis. Target is a flexible organisation that works with it's clients to meet their requirements and agree the most commercial mechanism.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Target’s standard training approach is to “Train the Trainer” which falls into three broad areas.; • Configuration Training deals with how to set up the system to perform as required by the client. Such configuration is typically carried out by a Business Support function at the client.; ; • Systems Administration Training covers items such as document, user, and interface management. Systems Administration is likely to be carried out by IT staff. As hosted service (IT Managed Service) option will minimise the requirement for Systems Administration.; ; • User Training covers all the operational functions of the systems. In general, our clients prefer to follow the “Train the Trainer” model, rather than have Target train all their users. This approach allows clients to tailor their training to their own particular business processes.; ; Training costs are typically built in to the solution pricing.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
  • Other
• Other documentation formats:
  • Word
  • Excel
  • Powerpoint
• End-of-contract data extraction: We have a formal process in place for data extraction at the end of a contract which includes data migration, project management, legal requirements (eg GDPR requirements)
• End-of-contract process: The provision of data in Target's prescribed format to the client / new 3rd party acting on behalf of the client is included within the price of the contract.; In addition, any decommissioning of data, and associated hardware infrastructure would take place at the agreed time and is included within the price of the contract.; ; Any requirement for additional services from Target such as Legal, Commercial, Project Management, extraction of data in a non-standard format and provision of guidance in relation to the extracted data would be agreed when Target is made aware of the desire to move the portfolio data to another supplier. Target would look to recover the cost of these additional services.

Using the service

• Web browser interface: Yes
• Using the web interface: The web unified user interface provides a single point of access to mission critical applications. It can produce a single customer view across multiple applications which reduces risk and increases productivity. ; The web interface provides users with an intuitive single-click workspace that provides access to:; • All customer and account related information (based upon user role and mandate); • Update functions to amend customer and account information; • Inbound and outbound documents; As the user interface is browser based, it reduces training time and cost ensuring users are fully productive as early as possible. ; The presentation layer is highly configurable, providing configuration options for tabs, data content, tables, buttons, pop-ups, entity search, third party product links, and database connectivity. The presentation and permissions can be tailored by job role, allowing the look and feel of the web interface to be tailored to the role of the user.; The web interface provides access to the Account Management solution to support all aspects of the Customer lifecycle post completion. Access to the customer and account based functions is sanction controlled to ensure only authorised users can make requests or amend the account details (e.g. interest rate, bank account details, repayment dates).
• Web interface accessibility standard: WCAG 2.1 AAA
• Web interface accessibility testing: Undertaken on a client by client basis, depending upon their requirements.
• API: Yes
• What users can and can't do using the API: Target have some standard API's to allow access to some standard features. The majority of Target's clients are be spoke and therefore any API's that are developed are bespoke.
• API automation tools: Other
• API documentation: Yes
• API documentation formats: PDF
• Command line interface: Yes
• Command line interface compatibility: Other
• Using the command line interface: IBM OS 400 - functionality is provided on a case by case basis, depending on client requirements.

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: Each client will have an individual, dedicated environment
• Usage notifications: Yes
• Usage reporting: Other
• Other usage reporting: Contact the client accordingly

Analytics

• Infrastructure or application metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • End-to-End Managed Service Platform
  • Backed up on local disk
  • Replicated to secondary location
  • All backups are AES256 encrypted
• Backup controls: This is defined as part of the Managed Service offering and is built to client requirements.; Backups are typically considered during the design phase and are implemented according to client requirements regarding RTO and RPO.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: We provide 99.5% availability, which is our general SLA. However, we will meet customer requirements should these differ.
• Approach to resilience: Target has dual-resilient data centre.; Datacentres have physically and logically diverse network connectivity from BT Global to ensure communications resiliency.; All components are a minimum of N+1 for local resiliency and this capability is replication to a secondary datacentre to ensure service availability targets are met.; ; Further information can be made available upon request.
• Outage reporting: We provide email alerts to inform customers of any service outages.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Role based access control is enforced using technical tooling (e.g. Microsoft Entra ID).; Monthly re-certification of users.; Privileged users are subject to a Privileged Access Management (PAM) solution and re-certified monthly.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through: Dedicated device on a government network (for example PSN)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 31/05/2023
• What the ISO/IEC 27001 doesn’t cover: Outsourced Software Development (all development is in-house)
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Cyber Valley Ltd
• PCI DSS accreditation date: 13/11/2023
• What the PCI DSS doesn’t cover: No Exclusions
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: The Chief Information Security Officer holds executive responsibility for Information Security at Target, includes reporting on Information Security topics and issues to the Management Risk Committee (MRC), Executive Committee and the Board. The CISO is responsible for: • Developing and delivering Target’s Information Security strategy and policies • Ensuring and ratifying that agreed security controls are in place and effective • Managing Information Security audits (external, client and internal) • Ensuring good awareness of Information Security issues across Target • Maintaining IT related risks and escalating to the appropriate risk committee • Reporting on Information Security topics and issues to the Chief Security Officer • Assisting on presenting Information Security topics and issues to the ExCo, MRC and the Board The Information Security team is led by the CISO and consists of Information Security specialists and contribute to the delivery of Target’s Information Security practices, as directed by the CISO. All Information Security incidents, are reported to Risk in accordance with the Breach and Event Management Process. In the case of personal data breaches, this includes recommending to Target’s DPO if it should be reported to the relevant authorities). All communication and contact with any regulatory is conducted through Compliance.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: All Change is managed through a formal Change Management procedure. Changes are assessed for impact by a number of approvers including the Information Security Manager.; A Technical Change Advisory Board takes places every Monday prior to the Business Change Advisory Board on a Wednesday. Changes are assessed during the Technical CAB for Security Impact.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Threats are assessed by receiving Threat Intelligence from Tech Mahindra Internal Security Group, CISP, Alert Logic, NCSC and other industry sources. ; Target's partnership with Alert Logic allows to understand if vulnerability poses a threat to our organisation and it's systems. These are automatically logged and triaged and addressed in agreed timescales.; Target consistently have a 95%+ adherence to patches available vs patches applied to the technical estate. This Management Information is included in monthly Key Risk Indicators.; Patches are automatically applied to the technical estate using a number of tools: Primary Ivanti Heat, Microsoft SCCM, PatchMyPC to ensure full coverage.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Target has Intrusion Protection systems in place as part of its firewall suite. We have various alerting systems in place as part of the above, so that we are made aware if an incident occurs. We respond to incidents through our 24/7 Command Centre. This is support by On-Call support. Incidents are responded to based on the threat perception
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: We have an Incident Management process in place which is deployed across the business. An Incident Manager is in suite who manages all incidents as and when they occur. All incidents are recorded within our system and a report is generated from that system.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Other
• Other virtualisation technology used: VMWare (Intel Compute); LPAR (IBM iSeries Compute)
• How shared infrastructure is kept separate: Segregation at the Hypervisor Level; Segregated VLANs at the Network Level; Segregation at the storage level using logical Volumes (NetApp and IBM vSeries Storage). All storage AES256 encrypted.; Logical Segregation using RBAC

Energy efficiency

• Energy-efficient datacentres: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  We have set ourselves the target of completely off-setting our carbon footprint by 2025. To help us achieve this outcome, we have action plans in place over the next three years as part of a phased reduction to help us meet our target.

  Covid-19 recovery

  We enabled over 1000 staff to work remotely as a result of the pandemic. As part of our Covid-19 recovery we are working with staff to support them in their preferred way of working. This includes 100% on site, hybrid working or 100% working remotely. We want to ensure that our staff and teams are supported as part of this process.

  Tackling economic inequality

  As part of our ESG Strategy, we having several initiatives to tackle economic activity. We working closely with schools in some of the most deprived areas to provide talks and information to students on the opportunities available within the company. Within the last 12 months, we also launched an apprenticeship programme to support people into the company. This provides them with specific training and development to support them with their career development.

  Equal opportunity

  Diversity and inclusion (D&I) is at the heart of our ESG work. We have leaders that are advocates in creating an inclusive and diverse culture and have an objective to encourage Diversity and inclusion and the closure of our Gender Pay Gap. Our D&I Strategy is underpinned by five key pillars - gender; disability; LGBT+; multi-generational and multi-cultural. We have a cross-organisation working group which meets every month to drive our strategy. This cross-organisational approach helps to actively raise awareness of diversity, inclusion and equality across the organisation, and ensure that all voices are heard, and that we develop a truly inclusive culture, where colleagues feel represented and are encouraged to do their best, progressing within their careers.; We have also set a goal to have no gender pay gap by 2025, and have an action plan with targets to reduce the gender pay gap each year over the next 3 years in order to meet our overall 0% gender pay gap target.

  Wellbeing

  Our wellbeing vision is 'to work together to meet the holistic health and wellbeing needs of our people. So ,they are resilient, lead fulfilling lives, are emotionally and physically healthy and feel safe and secure and happy.' To support this work we have trained mental health first aiders across the business, who provide confidential support and advice. We also provide an employee assistance programme (UNUM), which is provided free of charge to all employees and offers assistance, including a wellbeing programme. Assistance includes physical and mental health, legal matters, personal relationships, financial planning, and career development.

Pricing

• Price: £400.00 to £1,850.00 a user
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at MB00787638@techmahindra.com. Tell them what format you need. It will help if you say what assistive technology you use.