PCI Pal

PCI Pal® Agent-assisted phone-based payments

PCI Pal® Agent-assisted phone-based payments, utilises DTMF (Dual Tone Multi Frequency) masking technology to provide companies with a secure way of handling payments by phone without bringing their environments in scope of PCI DSS. Allowing merchants complete flexibility to enable their customers to click to pay or speak to pay.

Features

• De-scope for Contact Centre from PCI DSS Requirements
• Secure financial transaction
• Reduce call handling times
• Improved customer experience

Benefits

• Prevent sensitive card data from entering your environment
• Provide peace of mind for your customers
• Improve both the customer and agent experience
• Streamline your process when taking telephone payments

£100 to £360 a licence a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david.swift@pcipal.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

406784112934429

Contact

David Swift
+44 (0)330 131 0340
david.swift@pcipal.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Can be integrated with payment and CRM applications; Can be integrated as part of a contact centre or telecoms offering
• Cloud deployment model: Private cloud
• Service constraints: The service is agnostic to all connecting components: Telephony, Desktop (e.g. Billing or CRM system), and Payment Gateway.
• System requirements:
  • Access to Web Browser or Web-Interfacing Desktop Application
  • Each User must have access to a telephone
  • Customer environment requires TLS 1.2 to connect to PCI Pal
  • Browsers should adhere to supported list

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: As per standard SLA
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Priority 1 (Critical); Contact Channel: Telephone ; Response Time: 1 hour; Definition: Complete loss of the Service to all users within one or more sites or business units.; ; Priority 2 (High); Response Time: 4 hours; Definition: Significant degradation of the Service affecting more than 30% of users, calls or payment attempts within one or more sites or business units.; ; Priority 3 (Medium); Response Time: 24 hours; Definition: Degradation of the Service affecting less than 30% of users, calls or payments within one or more sites or business units OR widespread loss of ancillary functionality that does not prevent processing of payments, such as post transaction logic.; ; Priority 4 (Low); Response Time: 48 hours; Definition: Localised technical issues affecting single users.; ; Priority 5 (Very low); Response Time: 72 hours; Definition: Transient faults that have been ameliorated prior to being reported to PCI Pal or non-functional issues such as UI defects.; ; Dedicated Customer Success Managers (Technical Account Managers ) are assigned to deployments exceeding 150 agents
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The service is very simple for a user to use and the standard train-the-trainer and User Acceptance Testing can be completed in a single day. We are able to provide both remote, on-site and on-line learning packages. We can work alongside Training Departments for larger organisations or where more custom integrations have been created, to help build internal training programs for users. ; ; The project will also include either on-site or remote go live support.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Export by PCI Pal
• End-of-contract process: PCI Pal will contact the user at the end of the contract to determine their requirements and agree a new term or exit process if required

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Page elements are resized accordingly to work with mobile devices
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Agents (users) are presented with a window that displays fields for card number, expiry date and security code. Within these fields, asterisks are displayed to represent the numbers being entered by the caller.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Dragon, Read/Write Gold, JAWS, Zoom Text.
• API: Yes
• What users can and can't do using the API: The service for Agents/Advisors (i.e. individual users) through the API is the same. By integrating a Desktop Billing System to the API, the user experience can be enhanced due to the fact that all necessary data can be passed directly to PCI Pal without manual input by the User.; ; Administrative Users have the ability to configure the service including integration points and configuration of the User Interface. This setup is usually performed by PCI Pal in the initial deployment of the service but full training is available should the customer wish.; ; Changes are made via the Administration web-based environment and not directly through the API. The API allows interfacing between a customer Desktop Environment and PCI Pal via RESTful Web Services.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: User interface can be customised to accommodate specific user requirements. This work is carried out by the PCI Pal professional services team and is included within the standard deployment process.; ; Following suitable training and accreditation from PCI Pal, it is possible to enable a customer's development team to access and administer changes to the service.

Scaling

• Independence of resources: For each User (end customer), PCI Pal sets a limit for accessing each component (Web and Telephony) into PCI Pal. An example of this is the number of simultaneous telephone calls allowed for each user. This is not the number of licences, but a maximum peak above the number of licences to allow some burst scenarios. Alerting is used within the platform and the nature of the Cloud service architecture means that additional capacity can be very quickly added when capacity thresholds are reached.

Analytics

• Service usage metrics: Yes
• Metrics types: Both standard and customised usage reports are available to show volumes, transactions attempted based on different criteria.
• Reporting types:
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Service request to PCI Pal
• Data export formats: Other
• Other data export formats:
  • PDF
  • HTML
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Network Availability; PCI Pal offers a target service uptime availability to the Customer as follows: PCI Pal Platform Availability 99.99% average uptime per month; ; Service Credits will be calculated as a percentage of the Customer’s monthly licenses cost as indicated below. Where licenses are paid annually this will be the annual cost divided by 12.; 99.90% - 100% Uptime - Service Commitment met, no credit due.; 99.50% - 99.89% - Minor downtime, 3% credit due.; 99.00% - 99.49% - Moderate downtime, 6% credit due.; 98.99% or less – Major downtime, 10% credit due.
• Approach to resilience: Available on Request
• Outage reporting: PCI Pal has a system status dashboard that authorised users can login to to access system status, incident updates and planned maintenance. Notifications for all system status events will also be delivered by email to users who have registered to receive such notifications.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Access restrictions in management interfaces and support channels: Platform is tenanted in the web environment and only allows Admin-level users to have access to the management interfaces of their specific tenant. Admin-Level users can also create sub-tenants within their own tenant and grant sub-tenant admin access to users. Standard Users (Agents) access the system to simply conduct payments for end customers. They are not able to view any of the administrative areas of the system or change or modify the functionality of their payment screens.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 01/03/2024
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: IT Governance Ltd
• PCI DSS accreditation date: 14th October 2023
• What the PCI DSS doesn’t cover: We are a level 1 certified service provider and have been since 2011
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO 27001
  • PCI DSS V3.2.1 Level 1 Service Provider

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ISO 27001, ISO 22301, and PCI DSS compliant. PCI Pal adopts automatic and manual monitoring of systems to adhere to these policies.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Configuration and change requests are logged via our ticketing system (CR). ; The CR must include a deployment plan, a rollback plan, a test plan and detail potential risks and impact to service, during the change window.; The CR is peer assessed before being passed for Change Manager and CAB approval.; A CAB is formed to assess and approve CRs on a weekly basis.; Once released, the change is tested and signed off.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Monthly reassessment to PCI DSS compliance;; Threats alerted from US-CERT, Cisco and Microsoft bulletins. ; Patches deployed monthly if non-critical, within 3 days if critical.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Constant monitoring by ASV.; Centralised logging server is monitored. ; Incident Response plan in place with response deadlines within 8 hours. Any service-affecting incidents adhere to the defined Priority Level SLAs for customer communication on top of the Incident Response plan mentioned above.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Incidents can be raised reactively by a customer or proactively via our monitoring tools.; All incidents are logged via our ticketing system (INC).; Incidents are triaged and assessed for impact then prioritised correctly. ; Once resolved, the customer is contacted to confirm satisfactory resolution.; Problem tickets (PR) are raised for any necessary follow up investigations (root cause analysis etc) following a high priority incident. ; For all high priority incidents, a full fault summary is provided once the investigation is complete.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  PCI-PAL PLC is committed to achieving Net Zero emissions by 2040. https://www.pcipal.com/carbon-reduction-plan/

  Covid-19 recovery

  PCI Pal was the first in our market to build and launch a true-cloud, globally-available, secure payment platform . Being based entirely on a global AWS network with no physical hardware or data centre requirements, PCI Pal were able to continue to deploy solutions throughout the COVID-19 pandemic. The PCI Pal true cloud platform enabled many home-based workers to take PCI compliant payments even during the global lockdown when many offices and businesses were shut down. The PCI Pal product suite enabled merchants that do not have a centralised call handling system that is already PCI compliant to treat homeworker’s residential or mobile telephones as extensions on the system. ; With a global deployment footprint and rapid deployment capability, coupled with low agent training requirements PCI Pal allows merchants to maintain PCI compliance across a distributed remote workforce. PCI Pal's workforce were able to maintain business as usual throughout lockdown.

  Equal opportunity

  PCI Pal is an equal opportunities employer and user of supplier services. It is committed to providing equal opportunities throughout employment including the recruitment, training and promotion of workers, and to eliminating discrimination in the workplace on grounds of the protected characteristics under the Equality Act 2010:; ; age; being married or in a civil partnership; being pregnant or on maternity leave; disability; race including colour, nationality, ethnic or national origin; religion or belief; sex; gender reassignment; sexual orientation; ; All job applicants and workers are treated equally and the company will comply with its duty to consider reasonable adjustments, where appropriate, for applicants and workers with a disability under the Disability Discrimination Act 1995. This policy also applies to the selection, negotiation and dealings with any stakeholders. ; ; The company will endeavour to ensure that job vacancies are advertised/publicised so that the widest range of candidates can apply. The company’s objective is to attract job applications, and applications for promotion and training from the best possible candidates regardless of any protected characteristics.

  Wellbeing

  PCI Pal offer employees paid 'Evolve' days for development, growth and progression, which is an important part of PCI Pal's “enjoy the journey” company value. Evolve days can be used to explore something they have always wanted to do, learn a new skill or volunteer, giving staff the opportunity to evolve themselves, their experiences and their skill set. ; Evolve Days foster a sense of pride and satisfaction, whether that is supporting the local community, building friendships or developing new skills. ; Evolve days can be used on such activities as: ; Volunteering at local food banks or drives; Taking part in a taster session for a new skill to i.e. trying a new sport, learning to paint, sewing...; Go green efforts, including litter picking or clean ups; Youth/education mentoring or support (for example, careers talks); Working at a local nursery or school (for example, helping children to read); Volunteering at a religious or faith group; Helping or befriending elderly people; Local legal and financial support organisations (e.g. those offering services free of charge); Mentoring local students; ; PCI Pal also offers all employees free access to a health and wellbeing portal, Wisdom, which provides confidential email, telephone, and live chat counselling, wellbeing & health advice.

Pricing

• Price: £100 to £360 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david.swift@pcipal.com. Tell them what format you need. It will help if you say what assistive technology you use.