PayPoint

Merchant payment terminal services - Chip and Pin

Merchant Rentals offer a range of payment terminal finance solutions, giving you access to point of sale equipment without the financial burden of an outright purchase. Our secure payment services suit all business needs, including countertop and mobile chip and PIN card machines, also equipped with the latest contactless technology.

Features

• Suitable for a range of environments
• Ideal for businesses with multiple points of sale at site
• Essential for enabling taking card payments to the customer
• Creates efficiency for customers and operators through portable environments
• Smart Roaming SIM cards, supporting UK geographical areas
• Certified to the latest PCI security standards

Benefits

• Face to Face transaction processing
• Extremely reliable due to fixed connection points
• Multiple location uses for different business environments
• Keeps payments moving
• Designed for varying and demanding environments

£22 a unit

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ianranger@paypoint.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

305966577091407

Contact

Ian Ranger
01707 600388
ianranger@paypoint.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: The PayPoint service is available 24/7 and we operate a full disaster recovery facility to provide complete service resilience. In the event we do carry out system maintenance, we provide our clients with notice and schedule overnight to ensure minimal disruption.
• System requirements:
  • Our service is available via Internet Explorer 9+
  • Compatible with latest version of Chrome
  • Compatible with latest version of Firefox
  • Compatible with latest version of Opera
  • Compatible with Safari

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times to the support lines will be immediate whilst resolution times will vary based on the severity of the incident. ; Contacting account managers at weekends will have a delayed response.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: The PayPoint Client Management team are available 9 to 5:30 Monday to Friday. Outside of core hours, we maintain an operational contact centre that is available 24/7 to deal with any urgent issues.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: PayPoint's Client Implementation team will work with you to develop, test and implement the services. Depending on the service requirement, we will provide you with specifications and user documents and we will help you to complete a questionnaire which details your requirements. Once developed, we provide full end to end testing and implement upon your acceptance. When the service is live you will be introduced to the Client Services team who will manage any day to day issues or questions you may have.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Transaction data is provided daily up to the day the contract ends. Any client data will be returned at the end of the contract.
• End-of-contract process: In the event the buyer transfers to another supplier, PayPoint will help to ensure a smooth transition. There would be no additional costs.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: PayPoint can provide you with a white label app or API enabling you to plug in PayPoint's payments engine into your own app.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: The Client Portal is a rich insight and management tool for reporting on transactions. ; User can be given permissions by role which include the ability to do full and partial refunds.
• Accessibility standards: None or don’t know
• Description of accessibility: Users are able to: ; View transactions; Filter transactions by channel, outcome, failure reasons. ; All reports are able to filtered by date. ; Search by customers and status (active/inactive and deactivation and activation) ; Review pre-loaded reports on transactions and consumer spending; Manage users; Do full and partial refunds; Download reports
• Accessibility testing: None
• API: Yes
• What users can and can't do using the API: PayPoint have made available direct APIs in order to facilitate the payment, and removing the need for clients to be PCI compliant if required.; ; MultiPay APIs enable a client to fully replicate all MultiPay transactions capabilities in their own interfaces. ; This includes - guest payments, setting up and storing cards, retrieving cards. viewing transaction history, user log in, reversals and refunds, and continuous authorisation. ; ; All PayPoint channels are built on a common set of RESTful APIs. These APIs are now being offered to clients to allow them to build their own channel apps or integrate into existing ones. The APIs and Services currently being offered are as follows:; ;  MultiPay API ;  AAA API (Identity Service);  Hosted Fields Service ;  Card Services – Short Term Tokenisation;  Direct Debit API
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: PayPoint can provide buyers with a range of customisation across our various services, for example: ; ; - Buyers can set the minimum and maximum payment amounts they wish to allow, or we can have set denominations. ; - Receipts (physical for retail payments or electronic for digital payments) can be tailored to include your company name and customer message.; - The web site and app can be customised to include your logos and brand colours.; - The IVR service can be tailored with your customer messages.; ; Our Client Implementation team will work with you during the set up process to customise the service to your requirements.; ; APIs can be used to completely tailor your own customer user journey.

Scaling

• Independence of resources: PayPoint operates a 24/7 real time on-line system, supported by dual data centres to ensure full service availability at all times. Across all payment channels, PayPoint has an enviable track record of near total up-time, meeting industry best standards and this extends to resilience in the event of major service problems. During peak periods, PayPoint processes over 10 million transactions a week. ; ; We operate a disaster recovery service with active-active running across dual data centres. Business continuity plans are regularly tested and apply the best practices of security standards.

Analytics

• Service usage metrics: Yes
• Metrics types: As well as providing a daily batch transaction file (csv format), PayPoint provide an online dashboard so buyers can see card payment transactions in real time.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: Data is held in a private subnet which is only accessible via a VPN; bank data is encrypted and not visible in plain text. ISAE 3402 I-Movo (as entirely hosted in Azure); RSM (as entirely hosted in AWS). Backup and storage of tapes: Encrypted using CommVault; Company laptops: Encrypted using Bitlocker. Obfuscating and Encryption techniques: Where appropriate to the risk (following ISO 27001, PCI DSS Compliance standards)
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: PayPoint provide clients with daily transaction files which contain details of all transactions processed the previous day. These csv files can be distributed via email, FTP or SFTP (Push or Get). ; ; For our MultiPay services (DD, Online, IVR and App), clients have access to a portal to monitor transactions and run reports. ; ; Our Cash Out service also enables clients to pull data and run reports via the online portal.
• Data export formats:
  • CSV
  • Other
• Other data export formats: Excel
• Data import formats:
  • CSV
  • Other
• Other data import formats: Excel

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Our terms and conditions include SLA's to give our clients assurance that we will provide a high level of availability. These include all payment terminals being available to capture customer payments for at least 99% of the retailers opening hours. For our MultiPay services we also have a minimum 99% uptime service level. ; ; Failure to achieve our performance standards results in liquidated damages and compensation payments to our clients.
• Approach to resilience: PayPoint operates a 24/7 real-time on-line system, supported by dual data centres to ensure full service availability at all times for both our over the counter and MultiPay platforms. PayPoint has an enviable record of near total up-time, meeting best industry standards and this extends to resilience in the event of service problems. We have full disaster recovery for our services with active-active running across dual data centres. Business continuity plans are regularly tested.
• Outage reporting: In the event of a service disruption, notifications via e-mail are issued to our clients to make them aware. Maintenance work is generally scheduled overnight to minimise disruption and advance notice is provided.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Any access to our interfaces requires the end user to enter their Username and Password. For our Cash Out service, users are provided with Crypto tokens which they require to access the service. We also record the users IP address so they can only access from that address and we can provide security levels and limits on the value of vouchers that can be issued.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Standards Institute (BSi)
• ISO/IEC 27001 accreditation date: 14/08/2022
• What the ISO/IEC 27001 doesn’t cover: The Information Security Management System relating to the operation by PayPoint Network Ltd of systems for the collection of customer payments and the dispensing of cash through the PayPoint and PayByPhone branded network of retailer terminals, ATMs and mobile device payment schemes.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Foregenix Ltd
• PCI DSS accreditation date: 17/05/2023
• What the PCI DSS doesn’t cover: N/A
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: PayPoint has a documented Group Information Security Policy and Security Policy Framework both compliant with ISO27001:2013. These are supported by a suite of other policies and procedures published for staff on our Intranet. Examples include anti-virus protection, vulnerability management, internet and e-mail use, staff training, risk management and incident reporting.; ; We ensure compliance to these policies by implementing our own internal audit system, employing third party auditors to target specific areas of governance and we are subject to registration visits twice per year for ISO27001:2013, once per year for PCI DSS and a number of audits for LINK compliance. All staff including contractors are expected to complete an information security induction when they begin at PayPoint and all staff are given refresher training once per year. All staff are expected to complete both GDPR and DPA training on our learning management system. The company has established a Cyber Security Sub-Committee and the board actively participate in both strategic risk reviews and incident exercises.; ; PayPoint has a Risk and Compliance team comprising of a Head of Risk and Compliance, a Risk and Compliance Manager, a Fraud and Police Investigations Officer and a Technical Security Analyst.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: PayPoint has a documented change management procedure. Development and production environments and staff are segregated. There is a weekly change review board that must approve any change before it is deployed to production. There is a facility for emergency changes to be released but this requires senior IT Management approval. PayPoint has dedicated project managers, a dedicated configuration manager and a documents software development process. In production, change managers have oversight of product deployments. Every weekday there is a meeting on the operations bridge to review all technical incidents changes and business in hand.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: PayPoint uses supplier defined controls, these comply with PCI DSS, ISO27001:2013 and LINK requirements. PayPoint is registered to the first two standards and a member of the third.; PayPoint has a documented vulnerability management policy and has an in-house resource who conducts monthly ASV scans. ; PayPoint's Patch Review Board reviews vulnerabilities, available patches and priority of patch deployment. Critical and high rated security patches are typically deployed within a month. Critical patches may be deployed more quickly. ; PayPoint uses McAfee anti-virus software and EPO is configured and tested to issue virus alerts when any potentially suspicious item is detected.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: PayPoint uses McAfee anti-virus software and Mimecast mail scanning. EPO is configured and tested to issue virus alerts when any potentially suspicious item is detected. Our standing procedure is to identify the device, remove it from the network and begin scans. ; ; We operate a 24/7 Operations Bridge which monitors services and operational incidents so we can respond as quickly as possible.
• Incident management type: Supplier-defined controls
• Incident management approach: PayPoint is registered for ISO27001 and is PCI compliant. In the event of an incident, we will notify our clients via e-mail. If Users identify an incident, they should contact their Account Manager or the Operations bridge if outside core hours. PayPoint provide incident reports via e-mail where appropriate.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  Supporting customers and retailers, enabling clients to provide vital ; services in the community.

Pricing

• Price: £22 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ianranger@paypoint.com. Tell them what format you need. It will help if you say what assistive technology you use.