Clarity Information Solutions

Clarity IVR – Secure Payment Telephony

Clarity IVR is a Level 1 PCI-DSS Compliant v3.2 secure telephone payment platform. It is used by public authorities to allow call centre staff to take telephone payments from members of the public without needing to record any cardholder data. This approach improves security and facilitates PCI compliance.

Features

• Secure telephone payment platform for call centres
• Customers enter card holder data via telephone keypads
• DTMF tones are suppressed and cannot be heard by staff
• Live payment progress view for staff using a web screen
• Tokenisation (only take card details once)
• Recurring payments (create recurring Payment Plans)
• Promise to Pay (take payment information, but defer payment)
• Real-time reporting
• Level 1 PCI-DSS Compliant v3.2
• Integrates with numerous payment platforms and CRM systems

Benefits

• Improves security by eliminating staff exposure to cardholder data
• Facilitates PCI compliance for merchants taking telephone payments
• Payments can be processed at any time, 365 days/year
• Maintain a continuous conversation with customers when taking card details
• Staff can support nervous customers throughout the telephone payment process
• Removes the need to pause call-recordings
• 100% hosted solution, meaning no on-site installation
• Concurrent licence model supports cost-effective multiple agent logins
• Integration with major payment service providers and CRM systems
• Competitive call and transaction rates

£1,200 a licence a month

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bill.duke@clarity-ltd.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

361693497054495

Contact

Bill Duke
07800810460
bill.duke@clarity-ltd.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: Not applicable.
• System requirements:
  • Port 3000 to be open to Clarity IVR IP addresses.
  • Client telephone system able to warm transfer to external numbers.
  • Each agent must have a ddi or extension number.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: An initial response is provided within 15 minutes.; ; The standard service is available between 08:00 hours and 17:30 hours on Monday to Friday excluding UK public and bank holidays.; ; 24/7 response coverage is also available for an additional fee.; ; Critical Faults - Technical response within 30 minutes, provide analysis and guidance within 3 hours, provide resolution within 6 hours.; ; Major Faults - Technical response within 1 hour, provide analysis and guidance within 1 day, provide resolution within 2 days.; ; Material Faults - Technical response within 3 hours, provide analysis and guidance within 1 day, provide resolution within 5 days.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Yes, at an extra cost
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Clarity uses a third party web chat service provider that has completed; appropriate web chat testing. We have however not been directly involved in this testing.
• Onsite support: Yes, at extra cost
• Support levels: Clarity provides a fully managed solution support service, which is underpinned by a Service Level Agreement. The service includes unlimited access to a Help Desk, with guaranteed response and resolution timescales for all support requests.; ; All costs are included within the monthly subscription and no additional usage or service level fees apply.; ; Customers are provided with direct access to suitably qualified and experienced technical support personnel through the Help Desk. An Account Manager is also assigned to each customer and given overall responsibility for ensuring services are delivered in accordance with contractual obligations and customer expectations.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Clarity provides onsite user acceptance testing and training services before go-live. User documentation is provided as part of that service. ; We also provide an onsite transition support service, where a system specialist works with new users in their offices during the first few days of system adoption. This approach is used to facilitate a seamless transition to effective use of Clarity IVR with minimal business disruption.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
• End-of-contract data extraction: Clarity shall provide an extract of all pertinent data in a format agreed with the client.; All data is collected solely for the purpose of processing payments and communicating the outcome of the payment transaction.; Data is retained for a fixed retention period or duration of the contract as instructed by our Client, the Data Controller.
• End-of-contract process: The solution is taken off-line at an agreed time on the contract end date. Clarity provides a full export of all client-requested data in an agreed common use format, such as csv or xlsx, within 10 business days after the contract end date.; Clarity destroys all client data 1 month after contract expiry or at an earlier date, if preferred by the customer.; The customer is notified and confirmation is sought prior to destruction of data.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: As a secure telephony solution, there is no need to use a desktop service and clients can use mobile devices just as easily as they can use traditional phones.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: Clarity IVR works with many different APIs and integrates with hundreds of different platforms (the solution can be configured standalone, or can integrate via a SFTP or API integration).; Through a direct API Integration into a client’s internal platform, the Clarity IVR platform can correspond through a SOAP/Web Service and check information as it is entered into by the customer/agent. By doing this, confirming reference numbers, identifiers, amounts and posting information back into a CRM is performed in real-time and speeds up any reconciliation. It also eliminates the need to up/download files each day, since a client’s platform/database is updated after every payment.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Users can select from an extensive range of functional configuration options in order to adapt the solution to support preferred working practices.; Business users are invited to participate in requirements clarification workshops, which are used to identify customisation preferences that are configured by Clarity prior to initial go-live. ; Customisation options include:; - Integration with a variety of different online payment gateways.; - Integration with a variety of different CRM systems.; - Tokenisation: The ability to tokenise a customer’s card. Customers can then provide card details once and they are saved against a reference which is unique to each particular customer; - Recurring Payments: The platform can create a Recurring Payment Plan. Payments can then be taken weekly, fortnightly, monthly, etc.; - Promise to Pay: The platform can create a Promise to Pay solution that allows for payment information to be taken on the date of contact and the payment will hold until a date decided with the Agent and Customer.

Scaling

• Independence of resources: Multiple servers are operated in 2 separate geographically located data centres. Segregated instances are deployed for each client. The service array allows for double maximum capacity and is typically doubling each year. Normal running speed is 20% of capacity and 50% at peak.

Analytics

• Service usage metrics: Yes
• Metrics types: Metrics including;; ; Successful payments; Failed payments; MI reports; Call logs broken down per agent; Tokenised cards; Recurring payment plans
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: We provide a management reporting tool that can be used to produce parameter-driven reports encompassing all/any data that is held in the database.; ; Suitably authorised users can produce these reports and then save them to a convenient common-use format (csv, xlsx or pdf).; ; Clarity is also happy to provide user-requested data exports free of charge as part of the managed solution support service that we provide.
• Data export formats:
  • CSV
  • ODF
  • Other
• Other data export formats:
  • XLSX
  • PDF/A
• Data import formats:
  • CSV
  • ODF
  • Other
• Other data import formats: XLSX

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Our guaranteed availability for Clarity IVR is 99.8% and our goal is 99.9%. Service Credits available for noncompliance with our guaranteed availability.
• Approach to resilience: Our secure datacentres are ISO 27001 certified and our approach is governed by our stringent PCI compliance accreditation and ISO practices.
• Outage reporting: We have implemented heartbeat and monitoring processes to monitor and manage outages by our staffed Helpdesk.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Agents can be set up with different permission levels of User access or Admin access. Users and Admin agents are able to carry out different tasks (e.g. users are able to take payments only and Admin agents are able to manage and create users, manage stored cards and options within the portal).; ; User identities are validated before action is taken in response to support requests.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 29/08/2019
• What the ISO/IEC 27001 doesn’t cover: Certification is specific to the IVR production environment, connected devices and associated technical personnel, in accordance with the associated Statement of Applicability.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Nettitude
• PCI DSS accreditation date: 2nd June, 2021
• What the PCI DSS doesn’t cover: The scope is restricted to service providers (IVR systems).
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Clarity has gained extensive experience delivering high integrity information management solutions, which are used to store sensitive data, including records classified as SECRET, to numerous high-profile organisations throughout the UK public sector. Consequently, a robust approach to information governance and security management is fundamental to our business and our management structure, staff selection and personal development procedures reflect this core requirement.; In particular, we have established Security Operating Procedures (SYOPS) and most of our staff have undergone MOD, government and police security vetting procedures and have obtained clearance to work on confidential systems.
• Information security policies and processes: Clarity has established Security Operating Procedures (SYOPS) that define acceptable forms of use that apply to Clarity personnel whenever they access live customer environments.; ; SYOPS apply to all personnel who access live environments. While these procedures clearly apply to staff that provide routine support and maintenance services, they are equally applicable to any individuals who are required to access live environments for any reason.; ; The Operations Director is responsible for authorising individuals before they can access a live environment and for defining the permissible form/s of access and the purpose. The Operations Director maintains a register that identifies all such authorisations.; ; We utilise a systematic, risk-based approach to information security management, based on ISO 27001 requirements and guidelines. We identify system usage profiles and associated threats, vulnerabilities and risks. We also conduct impact assessments and assign security classifications in order to identify impact levels and risk tolerance, which influences the controls used to manage risks. Independent penetration testing is also used to increase information assurance.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Software configuration management procedures are used to identify and control the use of software items, thus enabling traceability and replication. Configuration management is used to ensure all software components can be combined in a consistent and repeatable manner. Our configuration management procedures include methods for:; - Unique identification and version control for all products and components.; - Receiving and acting on observations and for recording and controlling changes arising.; - Defining the means by which a product may be built or re-built.; - Controlling replication and distribution of products.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We utilise a systematic, risk-based approach to information security management, based on ISO 27001 requirements and guidelines.; We identify system usage profiles and associated threats, vulnerabilities and risks. We also conduct impact assessments and assign security classifications in order to identify impact levels and risk tolerance, which influences the controls used to manage risks. Independent penetration testing is also used to increase information assurance.; ; Patch deployment speed depends on perceived threat levels, but we can deploy critical patches within 2 days.; ; Clarity subscribes to feeds from recognised security experts and government bodies, including Qualys and the National Cyber Security Centre.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: All users must be authenticated in order to access system functionality. This cannot be bypassed and any malicious attempts to access Clarity IVR are recorded in system audit logs. ; ; Should a security breach occur, Clarity shall follow ICO guidelines in order to:; Identify how the breach occurred; Take immediate steps to stop or minimise further data loss, destruction or unauthorised disclosure; Assess and record the risk; Notify affected individuals and any relevant regulator (ICO); Establish what security measures were in place when the breach occurred; Assess whether technical or organisational measures could be implemented to prevent the breach happening again.
• Incident management type: Supplier-defined controls
• Incident management approach: Our Service Level Agreement defines an incident management process, which is enacted any time a Support Request is classified as an incident.; Users can report incidents by either phoning the Clarity Help Desk, emailing the Help Desk or raising a request through an online Support Portal.; Customers are initially advised on the progression and resolution of incidents through phone calls and emails. Customer agreement that an incident has been resolved is always documented (typically by email). Incidents are reported formally through monthly management reports, which identify the cause, the effect and actions taken to resolve the incident and prevent recurrence.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  Clarity has increased our support for home-based working substantially and we have reduced business travel dramatically.
• Covid-19 recovery:

  Covid-19 recovery

  Clarity has increased our support for home-based working substantially and we have reduced business travel dramatically.
• Tackling economic inequality:

  Tackling economic inequality

  Clarity is happy to donate surplus IT equipment to charities and other 3rd sector organisations.
• Equal opportunity:

  Equal opportunity

  Clarity collaborates with local colleges to provide work experience and employment opportunities for junior staff.
• Wellbeing:

  Wellbeing

  Clarity has introduced flexible working practices to support the health and wellbeing of our staff.

Pricing

• Price: £1,200 a licence a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bill.duke@clarity-ltd.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.