BOTTOMLINE PAYMENT SERVICES LIMITED

PTX Confirmation of Payee for Business (CoP for Business)

Confirmation of Payee (CoP) for Business allows compliance with Direct Debit Scheme rules and helps minimise the risk of payment fraud by verifying the ownership of bank accounts, identifying inconsistent and incorrect data, and reducing the potential for misdirected and failed or misdirected payments. Payer name verification paperless direct debits.

Features

• Verification of account and account owner with account holding bank
• Confirmation of Payee (CoP)
• Payer name verification

Benefits

• Verifies the account name matches that held by the bank.
• Reduce the number of accounts that can’t be verified electronically.
• Reduces the costs associated with manual checking of customer accounts.
• Helps identify where compromised account details are provided for payments.
• Helps prevent Direct Debits being set up against compromised accounts.
• Gives greater confidence fraud is prevented at point of capture.
• Assists in blocking account update fraud at point of change.
• Allows more Direct Debits to be set up without delay.
• Helps to identify and block BEC attacks,

£20 to £25,000 a unit

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at BPS.Gcloud@bottomline.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

418633540918453

Contact

Isabelle Fernandes
<removed>
BPS.Gcloud@bottomline.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: PTX Direct Debit Management (DDM)
• Cloud deployment model: Private cloud
• Service constraints: "Onboarding customer must comply with service usage only being used to verify banks accounts and account holders where there is an intent to make or collect a payment.; ; ""Maintenance windows (publicised when used):; - Tuesday & Thursdays - 4am until 7am; - Saturday & Sunday - 00:00 until 07:30"""
• System requirements: API requires support of JSON queries over HTTPS

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: All the support SLA's are listed on the website : https://www.bottomline.com/uk/product-terms-conditions
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: No
• Support levels: Support only offer one level of support however accounts can be assigned a Customer Success Manager if required.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: User documentation
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Not applicable for this service
• End-of-contract process: Service access is disabled

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The CoP for Business UI allows users to manually enter bank account and name and verify if the details provided are correct
• Accessibility standards: None or don’t know
• Description of accessibility: Partially complies with WCAG 2.1 AA
• Accessibility testing: Third party vendor for Accessibility testing has used Screen Readers
• API: Yes
• What users can and can't do using the API: Service is fixed and is not configurable
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: No

Scaling

• Independence of resources: Resources are clustered and user activities are load balanced to dedicated resources. Service capacity is increased as usage grows to ensure that this does not occur.

Analytics

• Service usage metrics: Yes
• Metrics types: Query volumes and match result statistics
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Other
• Other data at rest protection approach: Our encryption standards comply with ISO/IEC 27001-2013 standards as well as follow NIST and COBIT controls. Data at rest is stored on encrypted using Oracle's Transparent Data Encryption - AES 256
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Bulk files uploaded for processing via the CoP for Business UI are downloaded through the same UI screen by selecting the download function flagged against the file once it has been processed
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: PTX aims to exceed 99.9% uptime but has no contractually committed SLA
• Approach to resilience: Available on request
• Outage reporting: Public dashboard for subscribed users

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: "We implement OAUTH2. We recommend 2-factor authentication when a customer's tenant is onboarded. It can be disabled by the admins if required.; We support Identity Federation (SSO), API Client credentials, User email & Password. ; Different type of authentication can be set up based on customer's need."
• Access restrictions in management interfaces and support channels: We restrict tenancy management only to Bottomline Platform Administrators. Both the Bottomline Platform Admins and Customer Admins can do the User, API Clients, Roles management.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: MSECB
• ISO/IEC 27001 accreditation date: 26/01/2023
• What the ISO/IEC 27001 doesn’t cover: 14.2.7 Outsourced Development was excluded from ISO due to being not applicable
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: "Information Security Policies" are available on request.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: "Weekly CAB meetings held to discuss, review and authorize changes to production systems; Pre-production test environments used for testing releases prior to deploys (including with customer access); Full SDLC available on request"
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Our patch and vulnerability management standard complies with ISO/IEC 27001-2013 standards as well as follow COBIT controls. "Patch and Vulnerability Management Standard" document available on request.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: At Bottomline, we use a QRadar SIEM to capture audit information with respect to authentication, network devices, firewalls, anti-virus, and key production systems. This information is checked daily by the Security Operations Team and used to track offenses and anomalous activity as well as vulnerability scanning and remediation. Log reviews are performed regularly each business day, as well as ad-hoc during investigation or threat hunting activities
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: "Incident Reporting Standard" document available on request.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Wellbeing

  Fighting climate change

  Our PTX CoP for Business solution provides a digital alternative to the environmentally damaging practices associated with traditional manual processes. Unlike manual processes that require customers to send in printed copies of documents, which contribute to deforestation through paper consumption and rely on fossil fuel-intensive postal transportation, our digital platform eliminates the need for paper and physical delivery. Embracing digital alternatives not only enhances efficiency but also demonstrates a commitment to sustainability, paving the way for a greener future.

  Covid-19 recovery

  Payments have been instrumental in the COVID-19 recovery process, aiding numerous organizations in disbursing relief and compensation to individuals financially impacted by the pandemic. This has enabled individuals and businesses to meet essential needs, sustain livelihoods, and stimulate economic activity amidst pandemic-related restrictions. By streamlining bank account verification processes that enable timely disbursement, PTX CoP for Business is a key service for supporting recovery efforts, fostering resilience, and laying the groundwork for a more robust economic future.

  Tackling economic inequality

  PTX CoP for Business helps streamline account verification processes enabling efficient processing of digital payments including cost of living, energy rebate, and winter fuel payments. By minimising the potential for delay we enable payments to those most in need such as vulnerable individuals and families during challenging economic period and contribute towards tacking economic inequality and creating a fairer society.

  Wellbeing

  By helping ensure that payments are being made to the genuine account holder, PTX CoP for Business allows customers to safely process payroll, compensation, and regular payments ,and delivers peace of mind, shielding finance teams from potential blame or guilt related to scams. By reinforcing trust in the payment processes, PTX CoP for Business helps cultivate a safer and more supportive environment, preserving the mental wellbeing of finance professionals and boosting their confidence in their responsibilities.

Pricing

• Price: £20 to £25,000 a unit
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: For appropriate reasons, Bottomline will allow access to its Test suite for potential customers for a short period of time.; ; By the nature of the system (payments) , the complete cycle of a payment is mimicked not completed.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at BPS.Gcloud@bottomline.com. Tell them what format you need. It will help if you say what assistive technology you use.