Tone Masking DTMF
PayPoint offers DTMF tone masking to support your contact centre and organisation by supressing or masking sensitive authentication data and maintaining PCI compliance. This allows calls to be recorded for quality or training purposes whilst protecting the data from cards used by customers to make payments.
Features
- Ability to take PCI-DSS Compliant Telephone Payments
- Hosted solution sits independently from your existing telephony systems.
- Customer simply inputs Payment Information into telephone keypad
- Cloud-based solution allows for multiple agent usage of Platform
- Agents can access solution securely from contact centre or home
- Automated Software masks keypad (DTMF) tones input for making payments.
- Ability to set-up recurring Payments, provision Instalment Payments
- Payments can be taken for MID’s - single solution.
- Existing phone lines re-directed to enter secure tone masking environment
- Pull data from CRM or sources in a secure manner
Benefits
- De-scopes Contact Centre - No need for costly PCI-DSS Compliance
- Increase data security
- Fully compliant for office and non office-based staff
- Calls can be recorded in full, no ‘Pause and Resume’
- No Cardholder data will enter your environment
- Intuitive agent interface as part of the payment flow process
- Hosted solution, no costly rip and replace of existing infrastructure
- Recurring Payments helps collection rate
- Uninterrupted Call Recording with no data storage
- Enhances Customer experience with no 'Pause and Resume'
Pricing
£0.20 to £0.25 a transaction
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
2 2 7 9 2 9 4 0 1 3 4 7 6 4 5
Contact
PayPoint
Ian Ranger
Telephone: 01707 600388
Email: ianranger@paypoint.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Private cloud
- Service constraints
- The PayPoint service is available 24/7 and we operate a full disaster recovery facility to provide complete service resilience. In the event we do carry out system maintenance, we provide our clients with notice and schedule overnight to ensure minimal disruption.
- System requirements
-
- Our service is available via Internet Explorer 9+
- Compatible with latest version of Chrome
- Compatible with latest version of Firefox
- Compatible with latest version of Opera
- Compatible with Safari
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Depending on the severity of the question. Responses can be handled immediately. At weekends, only severity 1 questions will be handled immediately.
- User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 24 hours, 7 days a week
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
- The PayPoint Client Management team are available 9 to 5:30 Monday to Friday. Outside of core hours, we maintain an operational contact centre that is available 24/7 to deal with any urgent issues.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- PayPoint's Client Implementation team will work with you to develop, test and implement the services. We will provide you with specifications and user documents and we will help you to complete a questionnaire which details your requirements. Once developed, we provide full end to end testing and implement upon your acceptance. When the service is live you will be introduced to the Client Services team who will manage any day to day issues or questions you may have.
- Service documentation
- Yes
- Documentation formats
- End-of-contract data extraction
- Transaction data is provided daily up to the day the contract ends. Any client data will be returned at the end of the contract.
- End-of-contract process
- In the event the buyer transfers to another supplier, PayPoint will help to ensure a smooth transition. There would be no additional costs.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- The mobile user journey for setting up direct debit mandates can be either through mobile enabled sites or directly through APIs from your own apps.
- Service interface
- Yes
- User support accessibility
- None or don’t know
- Description of service interface
-
The interface is an easy to use interface that allows user to set up and maintain customers and direct debit mandates.
There is required BACS reporting, and additional insight reporting available through the platform.
The interface makes it easy for any organisation to manage their Direct Debits. - Accessibility standards
- None or don’t know
- Description of accessibility
-
Users can:
Set up new direct debit mandates
Manage existing direct debit mandates
Search for customer Direct Debits
Create new schedules
Review BACS reports
Run tailored insight reports.
Audit Transactions - Accessibility testing
- This has not been tested but our excellent coding standards mean that the interface should be compatible with screen readers.
- API
- Yes
- What users can and can't do using the API
-
PayPoint have made available direct APIs in order to facilitate the payment, and removing the need for clients to be PCI compliant if required.
All PayPoint channels are built on a common set of RESTful APIs. These APIs are now being offered to clients to allow them to build their own channel apps or integrate into existing ones.
PayPoint offers a full user journey scoping service, advising on the best APIs to use to achieve maximum user satisfaction. - API documentation
- Yes
- API documentation formats
-
- Open API (also known as Swagger)
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
-
PayPoint can provide buyers with a range of customisation within Direct Debit
Our Hosted Mandate Page can be fully branded and be compliant with BACS.
Bank Modulus checks and Postcode checks are included
APIs allow full customer user journey control.
Our Client Implementation team will work with you during the set up process to customise the service to your requirements.
Scaling
- Independence of resources
- PayPoint operates a 24/7 real time on-line system, supported by dual data centres to ensure full service availability at all times. Across all payment channels, PayPoint has an enviable track record of near total up-time, meeting industry best standards and this extends to resilience in the event of major service problems. During peak periods, PayPoint processes over 10 million transactions a week.
Analytics
- Service usage metrics
- Yes
- Metrics types
-
As well as providing a daily batch transaction file (csv format), PayPoint provide an online dashboard so buyers can see Direct Debit Transactions.
In addition to all Mandatory BACS reporting, reporting is available on customer behaviour and insights. - Reporting types
-
- API access
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- None
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- No
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
-
- Physical access control, complying with SSAE-16 / ISAE 3402
- Physical access control, complying with another standard
- Encryption of all physical media
- Scale, obfuscating techniques, or data storage sharding
- Other
- Other data at rest protection approach
- Data is held in a private subnet which is only accessible via a VPN; bank data is encrypted and not visible in plain text. ISAE 3402 I-Movo (as entirely hosted in Azure); RSM (as entirely hosted in AWS). Backup and storage of tapes: Encrypted using CommVault; Company laptops: Encrypted using Bitlocker. Obfuscating and Encryption techniques: Where appropriate to the risk (following ISO 27001, PCI DSS Compliance standards)
- Data sanitisation process
- Yes
- Data sanitisation type
- Deleted data can’t be directly accessed
- Equipment disposal approach
- A third-party destruction service
Data importing and exporting
- Data export approach
-
PayPoint provide clients with daily transaction files which contain details of all transactions processed the previous day.
All Reports are also available to download via the Direct Debit Client Portal - Data export formats
-
- CSV
- Other
- Other data export formats
- Excel
- Data import formats
-
- CSV
- Other
- Other data import formats
- Excel
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
Availability and resilience
- Guaranteed availability
-
SLA = 99.99% availability
Users are refunded via bet invoicing methods. - Approach to resilience
- Regular monitoring. The service is based in Dublin Ireland and is mirrored in three data centres which are on separate power and telecoms networks. If one becomes unavailable, it switches to one of the other two to maintain availability. We also hold a separate copy of the data in London and this can be deployed and running in one hour.
- Outage reporting
- Email and system notifications to authorised Users. Any outages are reviewed at a management meeting monthly.
Identity and authentication
- User authentication needed
- Yes
- User authentication
- Username or password
- Access restrictions in management interfaces and support channels
- Any access to our interfaces requires the end user to enter their Username and Password.
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Username or password
Audit information for users
- Access to user activity audit information
- Users receive audit information on a regular basis
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users receive audit information on a regular basis
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- BSI - ISO/IEC 27001 2013
- ISO/IEC 27001 accreditation date
- 14/08/2022
- What the ISO/IEC 27001 doesn’t cover
- Nothing - All systems, premises, software applications, business processes and operations are covered.
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- Yes
- Who accredited the PCI DSS certification
- Foregenix Ltd
- PCI DSS accreditation date
- 17/05/2023
- What the PCI DSS doesn’t cover
- N/A
- Cyber essentials
- Yes
- Cyber essentials plus
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
-
PayPoint has a documented Group Information Security Policy and Security Policy Framework both compliant with ISO27001:2013. These are supported by a suite of other policies and procedures published for staff on our Intranet. Examples include anti-virus protection, vulnerability management, internet and e-mail use, staff training, risk management and incident reporting.
We ensure compliance to these policies by implementing our own internal audit system, employing third party auditors to target specific areas of governance and we are subject to registration visits twice per year for ISO27001:2013, once per year for PCI DSS and a number of audits for LINK compliance. All staff including contractors are expected to complete an information security induction when they begin at PayPoint and all staff are given refresher training once per year. All staff are expected to complete both GDPR and DPA training on our learning management system.
The company has established a Cyber Security Sub-Committee and the board actively participate in both strategic risk reviews and incident exercises.
PayPoint has a Risk and Compliance team comprising of a Head of Risk and Compliance, a Risk and Compliance Manager, a Fraud and Police Investigations Officer and a Technical Security Analyst.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- PayPoint has a documented change management procedure. Development and production environments and staff are segregated. There is a weekly change review board that must approve any change before it is deployed to production. There is a facility for emergency changes to be released but this requires senior IT Management approval. PayPoint has dedicated project managers, a dedicated configuration manager and a documents software development process. In production, change managers have oversight of product deployments. Every weekday there is a meeting on the operations bridge to review all technical incidents changes and business in hand.
- Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
- PWe employ a third party NCC (formerly CESG) CHECK vendor to independently test our security/vulnerability. This comprises daily delta testing, quarterly vulnerability testing and annual penetration testing. Reports are received as soon as available and work to correct issues found is prioritised based on risk.
- Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
-
There is a daily bridge review of all risks and incidents which is internally escalated and reviewed.
We also employ a third party NCC (formerly CESG) CHECK vendor to independently test our security/vulnerability. This comprises daily delta testing, quarterly vulnerability testing and annual penetration testing. Reports are received as soon as available and work to correct issues found is prioritised based on risk. - Incident management type
- Supplier-defined controls
- Incident management approach
- PayPoint is registered for ISO27001 and is PCI compliant. In the event of an incident, we will notify our clients via e-mail. If Users identify an incident, they should contact their Account Manager or the Operations bridge if outside core hours. PayPoint provide incident reports via e-mail where appropriate.
Secure development
- Approach to secure software development best practice
- Supplier-defined process
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
-
Social Value
Tackling economic inequalityTackling economic inequality
Supporting customers and retailers, enabling clients to provide vital
services in the community.
Pricing
- Price
- £0.20 to £0.25 a transaction
- Discount for educational organisations
- No
- Free trial available
- No