Experian

Experian CrossCore Identity and Fraud Services

CrossCore is a modern, cloud-based digital Identity and fraud platform that enables organisations to Identity customers and detect and prevent fraudulent activity in realtime. CrossCore delivers a comprehensive Identity and fraud toolkit that combines multiple data sources and services through a single, flexible API.

Features

• Single open API for a complete identity and fraud journey
• Smart orchestration workflows and strategies with no-code rule management
• Pre-integrated with multiple Experian and 3rd party solutions
• Real-time account setup, account management and transactional fraud risking
• Holistic view of all services triggered for the account setup
• A range of configurable tools to assist investigation
• Cloud-based platform that allows for scalability and flexibility
• Returns raw data along with overall decisioning
• Ability to load custom data to be included during decisioning
• Consortia of known fraudulent devices

Benefits

• Single integration via CrossCore for all fraud and identity services
• Seamlessly onboard citizens and provide account access with confidence
• Configurable strategies with orchestration, case management and decisioning
• Fraud assessment with 360-degree view of the citizen’s identity
• Machine learning to minimise false positives and enhance citizen journey
• Decisioning capabilities empower you to make the best possible decision
• Enables you to adapt to changing public sector environment
• Optimise results to reduce operational overheads
• Connects services from Experian, our partners', or your data
• Accelerate digital transformation projects

£0.04 to £3 a unit

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at digitalmarketplace@experian.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

165438786370790

Contact

Experian Public Sector
+44 (0) 115 941 0888
digitalmarketplace@experian.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: Planned Maintenance windows which are communicated in advance.
• System requirements:
  • Online, web access required through standard browsers
  • REST Web service

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: To manage client services effectively and consistently, Experian provides Major Incident Management, Incident Management, Service Request Management, Problem Management and Operational Change Management with standardised processes. Incidents and Major Incidents are given Priorities, with higher Priorities receiving faster responses and restoration times. Tracking these values and performing internal data analysis enables Experian to continually improve these services and reduce impact to all clients.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Standard support is weekdays 09:00 - 17:00 UK time, excluding public holidays, but enhanced packages can offer 24/7 Major Incident Management and Availability Management.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: You will be provided with full technical documentation, user guides and have access to our team of experts who will be available to help with the initial integration, setup and configuration. ; Full user guides available, welcome product calls, online FAQ and troubleshooting, plus paid-for integration assistance and training available.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Available upon request otherwise all data will be permanently deleted.
• End-of-contract process: At the end of the contract, the Buyer shall cease to use all Licensed Materials and Licensed Programs

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The User Interface (UI) is leveraged by our client users to view the submitted applications, their results and can also action on the cases. The UI also has features to manually enter new applications.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: We use testing tools like Axe to highlight any non-compliance issues and these are fixed in accordance to our policy.
• API: Yes
• What users can and can't do using the API: The interface is a JSON REST web service interface that users can use to integrate against as many of the available services as required.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The solution allows for multiple different configurations depending upon use case and needs.

Scaling

• Independence of resources: Applications are run in separate environments; Regular monitoring of usage and performance.; System is scalable when appropriate.

Analytics

• Service usage metrics: Yes
• Metrics types: Metrics are shared with clients upon request, they are customizable but will include, but not limited to, number of searches, services called, results, etc.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Other
• Other data at rest protection approach: FIPS 140-2 compliantsecurity level 3; AES 256 encryption
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users are expected to retain copies of the results from CrossCore submissions within their own systems, as required. We do offer data export for services upon request.
• Data export formats:
  • CSV
  • Other
• Other data export formats: .json
• Data import formats: Other
• Other data import formats: .json

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: Web Application Firewall, IP Whitelisting, AES 128 encryption
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: Web Application Firewall, IP Whitelisting, AES 128 encryption

Availability and resilience

• Guaranteed availability: Availability SLAs will be defined case-by-case. The actual Availability of the CrossCore platform in FY24 across all UK&I clients was 99.99%.
• Approach to resilience: AWS Cloud and the Experian Data Centre Experian data centre complies with the Experian Global Security policy, this is available on request.
• Outage reporting: We have internal alerts configured in our system, designed to highlight any issues to the relevant teams for proactive actions.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: Username and password with Multi-Factor Authentication for the User Interface; Username and password, IP whitelisting and time bound token for the API integration
• Access restrictions in management interfaces and support channels: Experian's Access Control Standard drives all user accesses for our products. A policy of least privilege access is applied across the group to ensure all users only have access to what is required - this is regularly reviewed. Any privileged accounts are rigorously checked both prior to granting access, during use and on termination of permissions. Users come under multiple levels of policy regarding accounts and device usage. Networks are highly segmented with monitoring for inter-segment violations. Any sensitive systems are housed in dedicated secure environments.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: DNV GL Business Assurance Limited
• ISO/IEC 27001 accreditation date: October 2023
• What the ISO/IEC 27001 doesn’t cover: NA
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Viking Cloud (earlier known as Trustwave)
• PCI DSS accreditation date: 12/10/2023
• What the PCI DSS doesn’t cover: N/A
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Experian have a comprehensive global security policy based on the ISO27001 standard which covers: Organisation and Management, information security, asset classification, physical and environmental security, communications and operations management, system access, systems development and maintenance, compliance, personnel and provisioning, business continuity management, third party management.; ; The policy is owned by Experian's executive risk management committee which is an executive level body, and which assumes ultimate responsibility for Experian's risk position.; ; Information security is a key component of the risk management framework. Experian management supports security through leadership statements, actions and endorsement of the security policy and implementing/improving the controls specified in the policy.; ; The policy is available to all Experian employees and contractors on the intranet. Changes to the policy are announced on the company's intranet computer-based information security and data protection training, and this is repeated on at least an annual basis. Compliance to policy is overseen by internal audit.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Approach Experian have a change management policy which is underpinned by processes and procedures based on ITIL best practice. This is a mature process. We use a service management tool that integrates change management, incident management, problem management, configuration management and knowledge management. Our change management policy, processes, and procedures are regularly audited by independent auditors. Formal risk analysis is employed using an approved information risk analysis phase for developments/changes. Security requirements for the system are identified and continue to be considered throughout the life of the product.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Servers and PCs are built to a documented secure standard, which includes anti-virus and malware defences. Information assets have a defined patching schedule, determined by the system's criticality and the level of threat the patch is mitigating. Experian actively monitors threat environment and checks the effectiveness of security controls by reviewing both free and paid for sources of threat information, including, public information, major vendor feeds and also receiving information from specialist closed group mailing lists. The overall process is also plugged into an automated patch and fix strategy, underpinned with a technology infrastructure to deliver corrective updates.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Monitoring processes and tools are in place to manage alarms generated by security related alerts and these are fed into the incident management process. Experian has a formally documented risk based incident management process to respond to security violations, unusual or suspicious events and incidents. In the event an incident occurs a team of experts from all relevant areas of Experian are gathered to form an incident response team, who manage activities until resolution. The incident response team are available 24/7 to resolve any incident. Out of core hours the dedicated incident hotline is routed to the command centre.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: The incident management process incorporates a number of participants and contributors, including: Global Security Office - who facilitate and coordinate activities under the business security coordinator's guidance; Business Security Coordinator - a representative of the impacted business area, responsible for coordinating resolution activities; Incident Response Team (IRT) - IRT is made up of a membership that are empowered to make key decisions surrounding the actions to be taken to reduce impact, control actions, and impose corrective activities. A client report would be created, including: high level overview; facts; overview of events; actions taken.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  As an information services business, we have a relatively small environmental footprint compared to many other industries. The biggest impact from our controlled operations relates to greenhouse gas emissions from energy used to power, heat and cool our buildings and data centres, and from business travel (pre-Covid-19). Every year we reduce our carbon footprint, yet we want to take it further and accelerate our response to the climate change challenge We’ve started our journey to becoming carbon neutral. Our global Corporate Responsibility team is engaging with various teams across the organisation to discuss carbon reduction initiatives and get a good understanding of what’s needed to achieve our target by 2030. This will allow us to develop a detailed Carbon Neutral Plan, including initiatives, targets, costings and timeframes, for agreement by end of November.

  Covid-19 recovery

  We have focused on supporting our people, clients and consumers throughout the COVID-19 pandemic, using data as a force for good, helping to navigate the crisis. We quickly transitioned the majority of our employees to work from home. We introduced flexible working and increased collaboration tools and support networks, such as mindfulness programmes, to help our people navigate the challenges of home working. Webinars and senior leadership vlogs helped us connect. Our employees around the world have shown incredible resilience, commitment and flexibility during the COVID-19 pandemic and this is reflected in our results. We maintained operational capacity throughout the pandemic, we have kept the health and safety of our employees as the primary consideration of our pandemic response. Most of our employees are still working remotely. An effort is underway to determine our strategy for work arrangements in the future. We expect this to be guided by a consistent global framework and principles, with local flexibility around the approach to account for legal and cultural nuances. We continue to take industry-leading positions designed to protect and educate consumers, as well as to promote the responsible reporting of data, with appropriate safeguards, in order to help the economic recovery from the crisis.

  Tackling economic inequality

  We help millions of people and businesses around the world get fair and affordable access to essential services and we work hard to make sure our business has a positive impact on the world, never a negative one. Our responsibilities – to people, society and the environment – guide everything we do. By collecting and analysing data, we help people and businesses build up a financial track record and gain access to essential, everyday services that have previously been out of reach. We’re also pioneering the use of alternative data, such as rental or utility payments, to help people with limited financial history build up and strengthen their credit profiles. Our people’s talents and our business resources go beyond the workplace. We encourage our people to use their skills to benefit society: many volunteer their time and skills to support their communities and improve financial education. We also help our people support local groups and charities by matching funding and giving donations. At Experian we realise relationships with all our stakeholders are key to our success and sustainable business growth. We also recognise that we have an impact on and responsibilities for the society we trade within. We consider these responsibilities carefully and aim to have a positive impact wherever we can. Experian has developed a set of CR principles, endorsed by our Management Committee, to guide and enhance the way we work with our customers (both clients and individual consumers), colleagues, suppliers and communities. As a company, we are committed to working by these principles and will regularly benchmark and assess our progress in each area and report through our parent company. Please see a copy of Experian’s supply chain principles on the following link: https://www.experian.com/corporate/code-of-business-conduct

  Equal opportunity

  Each and every one of our people deserves to feel valued, represented, and that they belong at Experian. We have over 30 employee-led groups globally that play a huge part in creating inclusion and advocating on behalf of our people. These groups are not only a safe space for anyone who needs it, but also drive change and build awareness across Experian, raising the standard for everyone. Experian are registered as ‘Disability Confident’ and are currently undertaking an assessment with the Business Disability Forum. Our top 3 areas for focus this year is in learning & development, communications and technology. Our ambition is to remove barriers for all employees with disabilities at Experian. Experian recognises that equal opportunities are fundamental to the Company’s success and is committed to encouraging a working climate that respects and promotes equality. There is a publicised Equality, Diversity and Inclusion policy which sets out the Company and employee responsibilities for ensuring equality and embedding a culture and working environment that actively safeguards against discrimination and unfavourable treatment of people in all aspects of employment including recruitment, promotion and training opportunities. There is also a Dignity at Work policy which sets out Experian’s commitment to creating a work environment free of harassment and bullying, ensuring everyone is treated with dignity and respect. All of the policies are compliant with the requirements of the Equality Act 2010 and the relevant clauses of the HRA. More information can be found in Experian’s Diversity, Equity and Inclusion Report here: https://www.experianplc.com/investors/reports/

  Wellbeing

  Since the pandemic we have increased our focus on the health and well-being of our teams across the world. We quickly implemented regular pulse surveys so we could respond rapidly and ensure the right support was available. We emphasised mental health, reflecting the challenges people faced while working remotely. A response to the statement ‘I am feeling physically and mentally well’ was 75% favourable on average across five pulse surveys we ran during the year. We put in place a range of initiatives to support our teams, for example #ReachOut, which gave all employees access to resources to support their physical and mental health whenever they needed it. Experian has an important role to play in helping everyone through these uncertain times. We recognise the significance of the role we play in the UK economy and we are committed to ensuring that our data services are being used to help, protecting vulnerable people, businesses and communities. At Experian, we work to create a better tomorrow for consumers, for businesses, and for our communities. This ambition underpins our plans for our people – to ensure we have the best people, working in a high-performing and inclusive environment where they feel they can do their best work in support of our vision. We help millions of people gain access to essential, everyday services by helping them make the most of their data by Improving financial identities and access to credit, providing credit and financial education and tackling unmanageable debt among vulnerable groups. We define our responsibility as playing an active part in social and economic regeneration in our communities, at a local, national and global level, and we have many motivations for this engagement.

Pricing

• Price: £0.04 to £3 a unit
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Subject to agreement on size and scope, free trials may be available for the Web or API services.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at digitalmarketplace@experian.com. Tell them what format you need. It will help if you say what assistive technology you use.