Syntec Limited

CardEasy secure contact centre payment solutions

CardEasy enables you to de-scope your contact center environment from PCI DSS, including voice and digital engagement channels. Seamless integration with your existing telephony and IT infrastructure reduces the risks and costs associated with managing compliant card payment transactions in your contact centers, whilst improving customer experience and trust.

Features

• Mid-call with the agent; DTMF masking and Automated Speech Recognition
• Syntec managed and patented service
• Secures card payments by phone and via digital communication channels
• IVR (self service) and digital payment options
• Agents can see progress of card numbers entered by customer
• Compatible with all Payment Service Providers and Digital Channel providers
• Telephony & CRM agnostic
• Card data no longer seen, heard, stored in contact centres
• Flexible to deploy
• PCI DSS level 1 Coalfire-verified managed service

Benefits

• Reduces fraud risk
• De-scopes the contact centre from PCI DSS controls and monitoring
• Customers’ card numbers not audible/visible to agents or recordings
• Call recordings can be full length – makes Pause/Resume obsolete
• Suitable for home and remote workers
• Reduces PCI DSS audit requirements and cost
• Improves transaction times and customer trust
• Preferable to card numbers being read out over the phone
• Increases revenue by enabling payments via digital channels too
• Seamless customer experience, via whichever channel

£15 to £40 a user a month

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@syntec.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

169250243810637

Contact

CardEasy Sales
020 7741 2000
sales@syntec.co.uk

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: • Add-on to voice/telephony services; • Add-on to IVR; • Add on to payment services; • Add-on for payments via digital channels (e-mail, SMS, webchat, WhatsApp, social media and chatbots); • Extension of CRM software; • Extension of contact centre services
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: Agnostic to PSP, Telephony, digital channel provider(s), CRM systems and payment application
• System requirements: N/A CardEasy is supplied as a fully managed service

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Minor: 24 Hours, Normal Maintenance Working Day; Major: 4 Hours, Normal Maintenance Working Day; Critical: 1 Hour, 24/7/365
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Minor (24 hour response): Minor Fault means a minor degradation to a component of the Service that does not stop the end user(s) from working.; ; Major (4 hour response): Major Fault means a degraded Service that impacts a Customer’s business process or a total or material loss of a non-critical component of the Service where the end user(s) cannot perform any useful work on that component. ; ; Critical (1 hour response): Critical Fault means a complete or significant component of the Service is unavailable or inoperable, which prevents or is likely to prevent if not resolved, a Customer’s business process from fulfilling a vital business function.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Hands-on session by webex
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: We only retain data for reporting purposes if required. This data can be made available in csv format on demand
• End-of-contract process: The merchant will be contacted about extending or renewing

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Payment can be made by phone (voice and phone keypad) or using any device which supports a HTML link.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Web based interface bespoked to customer needs
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Happy to carry out testing with clients' accessibility teams as required
• API: Yes
• What users can and can't do using the API: Users can initiatate card captures, provision users
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Elements of the UI can be altered

Scaling

• Independence of resources: The service is horizontally scaleable with dynamic load balancing

Analytics

• Service usage metrics: Yes
• Metrics types: Customisable reporting of calls, card captures and transactions in both summary form and at the individual call level. Reports can be viewed in tabular form in real time via our web portal, viewed on dashboards, sent by email or uploaded to SFTP in Excel format.

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Other
• Other data at rest protection approach: Data sanitisation
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: CSV
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: All data in transit is strongly encrypted using ciphers negociated using TLS 1.2 Card data is never written to disk. Reporting databases and their backups are encrypted using AES-256
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Our SLA is 99.995%. Service Credits are provided if we don't meet guaranteed levels of availability.
• Approach to resilience: Service is delivered from multiple geographically diverse data centres with all components redundant within each DC. Further information is available upon request.
• Outage reporting: Registered Reporting Portal.; Users can view service updates via the Syntec platform.; They can also subscribe to receive service / incident updates by e-mail or RSS.

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: As defined by the Customer
• Access restriction testing frequency: At least every 6 months
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 20/05/2021
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Coalfire Systems Inc.
• PCI DSS accreditation date: 13/07/2021
• What the PCI DSS doesn’t cover: The entire CardEasy service and supporting services are covered
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: ISO/IEC 27001

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: PCI DSS Level 1 certified under v3.2.1
• Information security policies and processes: Syntec adopts best practices for security governance, complies with current standards and seeks to continually improve in all areas of security.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Configuration and change requests (CR) are logged via a ticketing system.; The CR must include a deployment plan, a rollback plan, a test plan and detail potential risks and impact to service, during the change window.; The CR is peer assessed before being passed for Change Manager or CAB approval.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: We have a policy document that defines the standard procedure and timescale for managing security patches within the company. This includes definitions of: • the composition and role of our Patch and Vulnerability Group (PVG) • the role of senior management • the process of identifying identify newly discovered security vulnerabilities • a formal patch management life cycle process. This procedure applies to the management of security patches for our Windows and Linux platforms and to our network devices. Where applicable, the application of patches to our-hosted infrastructure is subject to agreed client change management and approval processes.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Syntec uses the PCI DSS v3.2.1 standard for service providers and GPG 13 guidance on Protective Monitoring, e.g. accurate timestamps on logs and events, alerting on critical events, recording of various activity, reporting on the status of the audit system, etc. A Security Information & Event Management Solution (SIEM) is used to identify potential compromises. If a compromise is found it is investigated. A Security Incident is raised to track the investigation, root cause and solutions, if required, to rectify or improve the situation. There is a response to incidents as close to real time as practicable.
• Incident management type: Supplier-defined controls
• Incident management approach: Syntec operates an Incident Management process which has numerous pre-defined sub groups of staff designated for particular products or scenarios. It can be initiated by any member of staff and is managed by the 24/7 support staff. Any incident is reported by the customer to the Service Desk, it is recorded in a customer relationship management tool (CRM) and an Incident report is produced after root cause analysis has taken place. Any Incident reports are made available to end users via pdf within 5 working days of the resolution of the incident.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  Syntec as a business is working towards net zero greenhouse gas emissions. In order to achieve this, as a business, we are reviewing and identifying the changes that need to be adopted by our staff, our suppliers, our customers and how we work in our community to reduce our carbon footprint.
• Wellbeing:

  Wellbeing

  Syntec has five values, the fifth value ‘H’ is for humanity, amongst other areas, this encompasses the well-being of our staff and the support we provide to our local community. ; ; There are continual initiatives in the organization to support the health and wellbeing of our staff and they evolve as the world around us evolves. Ie the initiatives during COVID and lockdown are different to the current initiatives. We provide flexible working to our employees, enabling parents to have balance in their live, not only pursuing their careers, but also allowing flexibility to manage their homelives and caring for their children or elderly relatives. We provide a range of benefits to our employees, such as Pilates, fresh fruit etc.; ; In the Community, our chosen charity to support is our local DENS charity, who’s aim is ‘Helping Rebuild Lives for people in Dacroum who are facing homelessness, poverty and social exclusion.

Pricing

• Price: £15 to £40 a user a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@syntec.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.