Skip to main content

Help us improve the Digital Marketplace - send your feedback

PayPoint

Tone Masking DTMF

PayPoint offers DTMF tone masking to support your contact centre and organisation by supressing or masking sensitive authentication data and maintaining PCI compliance. This allows calls to be recorded for quality or training purposes whilst protecting the data from cards used by customers to make payments.

Features

  • Ability to take PCI-DSS Compliant Telephone Payments
  • Hosted solution sits independently from your existing telephony systems.
  • Customer simply inputs Payment Information into telephone keypad
  • Cloud-based solution allows for multiple agent usage of Platform
  • Agents can access solution securely from contact centre or home
  • Automated Software masks keypad (DTMF) tones input for making payments.
  • Ability to set-up recurring Payments, provision Instalment Payments
  • Payments can be taken for MID’s - single solution.
  • Existing phone lines re-directed to enter secure tone masking environment
  • Pull data from CRM or sources in a secure manner

Benefits

  • De-scopes Contact Centre - No need for costly PCI-DSS Compliance
  • Increase data security
  • Fully compliant for office and non office-based staff
  • Calls can be recorded in full, no ‘Pause and Resume’
  • No Cardholder data will enter your environment
  • Intuitive agent interface as part of the payment flow process
  • Hosted solution, no costly rip and replace of existing infrastructure
  • Recurring Payments helps collection rate
  • Uninterrupted Call Recording with no data storage
  • Enhances Customer experience with no 'Pause and Resume'

Pricing

£0.20 to £0.25 a transaction

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ianranger@paypoint.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

2 2 7 9 2 9 4 0 1 3 4 7 6 4 5

Contact

PayPoint Ian Ranger
Telephone: 01707 600388
Email: ianranger@paypoint.com

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
The PayPoint service is available 24/7 and we operate a full disaster recovery facility to provide complete service resilience. In the event we do carry out system maintenance, we provide our clients with notice and schedule overnight to ensure minimal disruption.
System requirements
  • Our service is available via Internet Explorer 9+
  • Compatible with latest version of Chrome
  • Compatible with latest version of Firefox
  • Compatible with latest version of Opera
  • Compatible with Safari

User support

Email or online ticketing support
Email or online ticketing
Support response times
Depending on the severity of the question. Responses can be handled immediately. At weekends, only severity 1 questions will be handled immediately.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
The PayPoint Client Management team are available 9 to 5:30 Monday to Friday. Outside of core hours, we maintain an operational contact centre that is available 24/7 to deal with any urgent issues.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
PayPoint's Client Implementation team will work with you to develop, test and implement the services. We will provide you with specifications and user documents and we will help you to complete a questionnaire which details your requirements. Once developed, we provide full end to end testing and implement upon your acceptance. When the service is live you will be introduced to the Client Services team who will manage any day to day issues or questions you may have.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
Transaction data is provided daily up to the day the contract ends. Any client data will be returned at the end of the contract.
End-of-contract process
In the event the buyer transfers to another supplier, PayPoint will help to ensure a smooth transition. There would be no additional costs.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The mobile user journey for setting up direct debit mandates can be either through mobile enabled sites or directly through APIs from your own apps.
Service interface
Yes
User support accessibility
None or don’t know
Description of service interface
The interface is an easy to use interface that allows user to set up and maintain customers and direct debit mandates.
There is required BACS reporting, and additional insight reporting available through the platform.
The interface makes it easy for any organisation to manage their Direct Debits.
Accessibility standards
None or don’t know
Description of accessibility
Users can:

Set up new direct debit mandates
Manage existing direct debit mandates
Search for customer Direct Debits
Create new schedules
Review BACS reports
Run tailored insight reports.
Audit Transactions
Accessibility testing
This has not been tested but our excellent coding standards mean that the interface should be compatible with screen readers.
API
Yes
What users can and can't do using the API
PayPoint have made available direct APIs in order to facilitate the payment, and removing the need for clients to be PCI compliant if required.

All PayPoint channels are built on a common set of RESTful APIs. These APIs are now being offered to clients to allow them to build their own channel apps or integrate into existing ones.

PayPoint offers a full user journey scoping service, advising on the best APIs to use to achieve maximum user satisfaction.
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
PayPoint can provide buyers with a range of customisation within Direct Debit

Our Hosted Mandate Page can be fully branded and be compliant with BACS.

Bank Modulus checks and Postcode checks are included

APIs allow full customer user journey control.

Our Client Implementation team will work with you during the set up process to customise the service to your requirements.

Scaling

Independence of resources
PayPoint operates a 24/7 real time on-line system, supported by dual data centres to ensure full service availability at all times. Across all payment channels, PayPoint has an enviable track record of near total up-time, meeting industry best standards and this extends to resilience in the event of major service problems. During peak periods, PayPoint processes over 10 million transactions a week.

Analytics

Service usage metrics
Yes
Metrics types
As well as providing a daily batch transaction file (csv format), PayPoint provide an online dashboard so buyers can see Direct Debit Transactions.
In addition to all Mandatory BACS reporting, reporting is available on customer behaviour and insights.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
Data is held in a private subnet which is only accessible via a VPN; bank data is encrypted and not visible in plain text. ISAE 3402 I-Movo (as entirely hosted in Azure); RSM (as entirely hosted in AWS). Backup and storage of tapes: Encrypted using CommVault; Company laptops: Encrypted using Bitlocker. Obfuscating and Encryption techniques: Where appropriate to the risk (following ISO 27001, PCI DSS Compliance standards)
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
PayPoint provide clients with daily transaction files which contain details of all transactions processed the previous day.

All Reports are also available to download via the Direct Debit Client Portal
Data export formats
  • CSV
  • Other
Other data export formats
Excel
Data import formats
  • CSV
  • Other
Other data import formats
Excel

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
SLA = 99.99% availability
Users are refunded via bet invoicing methods.
Approach to resilience
Regular monitoring. The service is based in Dublin Ireland and is mirrored in three data centres which are on separate power and telecoms networks. If one becomes unavailable, it switches to one of the other two to maintain availability. We also hold a separate copy of the data in London and this can be deployed and running in one hour.
Outage reporting
Email and system notifications to authorised Users. Any outages are reviewed at a management meeting monthly.

Identity and authentication

User authentication needed
Yes
User authentication
Username or password
Access restrictions in management interfaces and support channels
Any access to our interfaces requires the end user to enter their Username and Password.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users receive audit information on a regular basis
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users receive audit information on a regular basis
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
BSI - ISO/IEC 27001 2013
ISO/IEC 27001 accreditation date
14/08/2022
What the ISO/IEC 27001 doesn’t cover
Nothing - All systems, premises, software applications, business processes and operations are covered.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
Foregenix Ltd
PCI DSS accreditation date
17/05/2023
What the PCI DSS doesn’t cover
N/A
Cyber essentials
Yes
Cyber essentials plus
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
PayPoint has a documented Group Information Security Policy and Security Policy Framework both compliant with ISO27001:2013. These are supported by a suite of other policies and procedures published for staff on our Intranet. Examples include anti-virus protection, vulnerability management, internet and e-mail use, staff training, risk management and incident reporting.

We ensure compliance to these policies by implementing our own internal audit system, employing third party auditors to target specific areas of governance and we are subject to registration visits twice per year for ISO27001:2013, once per year for PCI DSS and a number of audits for LINK compliance. All staff including contractors are expected to complete an information security induction when they begin at PayPoint and all staff are given refresher training once per year. All staff are expected to complete both GDPR and DPA training on our learning management system.

The company has established a Cyber Security Sub-Committee and the board actively participate in both strategic risk reviews and incident exercises.

PayPoint has a Risk and Compliance team comprising of a Head of Risk and Compliance, a Risk and Compliance Manager, a Fraud and Police Investigations Officer and a Technical Security Analyst.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
PayPoint has a documented change management procedure. Development and production environments and staff are segregated. There is a weekly change review board that must approve any change before it is deployed to production. There is a facility for emergency changes to be released but this requires senior IT Management approval. PayPoint has dedicated project managers, a dedicated configuration manager and a documents software development process. In production, change managers have oversight of product deployments. Every weekday there is a meeting on the operations bridge to review all technical incidents changes and business in hand.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
PWe employ a third party NCC (formerly CESG) CHECK vendor to independently test our security/vulnerability. This comprises daily delta testing, quarterly vulnerability testing and annual penetration testing. Reports are received as soon as available and work to correct issues found is prioritised based on risk.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
There is a daily bridge review of all risks and incidents which is internally escalated and reviewed.

We also employ a third party NCC (formerly CESG) CHECK vendor to independently test our security/vulnerability. This comprises daily delta testing, quarterly vulnerability testing and annual penetration testing. Reports are received as soon as available and work to correct issues found is prioritised based on risk.
Incident management type
Supplier-defined controls
Incident management approach
PayPoint is registered for ISO27001 and is PCI compliant. In the event of an incident, we will notify our clients via e-mail. If Users identify an incident, they should contact their Account Manager or the Operations bridge if outside core hours. PayPoint provide incident reports via e-mail where appropriate.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
No

Social Value

Social Value

Social Value

Tackling economic inequality

Tackling economic inequality

Supporting customers and retailers, enabling clients to provide vital
services in the community.

Pricing

Price
£0.20 to £0.25 a transaction
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ianranger@paypoint.com. Tell them what format you need. It will help if you say what assistive technology you use.