TRANSUNION INTERNATIONAL UK LIMITED

TransUnion - Consumer Empowerment

TransUnion’s Consumer Empowerment solution aims to provide non-SHARE contributors access to Bureau data, where explicit Consumer consent is obtained. Our solution is uniquely positioned within the market to provide Organisations who don't contribute to the Bureau access to credit data; principally credit score where the necessary consent has been obtained.

Features

• Ensure the Consumer is genuine
• Understand the Consumers financial standing and propensity to pay
• View the Consumers financial agreements and public data records
• Use the data to power internal processes / decisioning
• Near-real time data access

Benefits

• Access the individuals credit score (rather than postcode average)
• Quick access to the Consumers debt and spending information
• Simple, quick and easy customer journey
• Reduction in manual effort
• Creation of an empowered Consumer

£0.60 to £5.00 a unit

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark.pestereff@transunion.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

498242791405456

Contact

Mark Pestereff
07773 212093
mark.pestereff@transunion.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Please refer to the Service Definition
• System requirements: API only

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We have a range of SLA's depending on the nature and criticality of the ticket; full details can be agreed as part of any contract.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Support levels are agreed on a per use case basis. All Partners are given access to our Client Services Desk, a team of highly experienced and dedicated staff. TU recommend that any Partners make available a customer service team in order to support any general customer queries via email. ; ; TU have a dedicated training team that can provide initial and ongoing support to the Partner customer service teams. TU will provide bespoke training sessions that are tailored to cover a variety of topics on subjects such as credit referencing agencies, credit report data, credit scores and operational support processes to ensure that Partner staff have the appropriate knowledge to handle any first line customer queries. ; ; Training is delivered via a workshop style session, or on a 121 basis if preferred. Where Partner customer advisors have access to TU data, TU will provide a full accreditation program to ensure any advisors who are in contact with the TU data and services are appropriately trained and suitably skilled to fulfil their role. The accreditation program is a bi-annual exercise and can be delivered via a ‘train the trainer’ approach which allows flexibility or alternatively TU can handle the whole process.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: You will have access to our team of experts who will be available to help with the initial integration exercise. Our dedicated training team are available to provide initial and ongoing support as required. This team will deliver bespoke training sessions that are tailored to cover a variety of topics such as credit referencing agencies, credit report data and operational support processes to ensure that any approved staff have the appropriate knowledge to handle any first line customer queries.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: N/A
• End-of-contract process: At point of contract ending or terminating; the service is closed down and access for registered users is prevented. As this is an API only service all data resides with the Partner; agreement will be reached as to an acceptable time for the data to be removed for their systems.

Using the service

• Web browser interface: No
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: The Consumer Empowerment Service interface is a browser based application which enables user management tasks including but not limited to viewing details of the users activity within the application. Furthermore, authorised admin users can view details of a consumers disputes and obtain some MI around utilisation via this service.
• Accessibility standards: None or don’t know
• Description of accessibility: Browser based application
• Accessibility testing: API only
• API: Yes
• What users can and can't do using the API: Multiple API's are available to support the provision of the service. API guides are available upon request. The API's provide users with the following capabilities;; 1. Validate a new user - ensure that the consumer is whom they are claiming to be; 2. Obtain a credit score - obtain a measure of a consumers financial standing; 3. Obtain a credit report - obtain a copy of the consumers credit report showing the financial arrangements that they hold and their attitude and ability to repay debt
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Along with having the ability to choose which modules are applicable for their use-case, TU work closely with Partners to ensure that the underlying logic for on-boarding and servicing end users is configured in to the create the optimum solution. As the data is consumed via API, Partners have the ability to design and visualise the data presentation layer to meet their own branding and presentation requirements, TU are available to support this process as required.

Scaling

• Independence of resources: Our platform is hosted in Microsoft Azure allowing us to easily scale out with the provision of additional nodes for the web and app tiers and scale up the database to meet capacity demands. High availability is supported by SQL AG for data and for the application we have load balanced servers that can scale out to meet demand and will fail over automatically to a DR site for resilience. We closely monitor the environment for visibility of potential bottlenecks in throughput to enable us to act proactively ahead of demand peaks and react quickly as required.

Analytics

• Service usage metrics: Yes
• Metrics types: Our standard report includes the following metrics and additional reporting requirements can be considered upon request.; ; 1. Number of Registrations ; 2. Number of Successful Registrations ; 3. Number of Registrations resulting in a 'thin file' ; 4. Number of Unsuccessful Registrations ; 5. Number of Activations ; 6. Number of Logins ; 7. Number of distinct logins ; 8. Number of first time logins
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: • Strong logical access control. Access is given based on least privilege and a need to know basis.; • Protective monitoring and event management using LogRhythm as a SIEM.; • Sourcefire & Palo Alto IDS.; • Checkpoint firewalls.; • Monthly vulnerability scanning programme of work.; • ISO27001 and PCI DSS compliant.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: N/A - Data resides within the Partners solution
• Data export formats: Other
• Data import formats: Other

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: Web Application Firewall, IP Safe Listing, SSH key Pairs (for automation), complex password policy, Threat Detection Service team
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Data Loss Prevention, Privelleged Access Management, Data Encryption at Rest, SIEM Alerts and Monitoring, Anti-Virus and EDR, Firewalls and VPN's

Availability and resilience

• Guaranteed availability: Our standard availability for Consumer platform solutions is 98.5%. We would be happy to discuss any specific availability requirements as appropriate.
• Approach to resilience: We operated on an active / passive configuration, with passive being a 'warm stand-by.' Data is pushed to the passive servers on a high frequency (every 5 minutes) to ensure high data accuracy and consistency. Front end traffic manager it used to facilitate switching between sites as required.
• Outage reporting: The Consumer Platform has extensive error handling and reporting to provide early and detailed logs of any issues / errors. Our API guides provide detailed information around the error messages which can be returned by the API. Additionally our Client Support Team would notify affected clients via email as appropriate.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Other
• Other user authentication: Each user will have a unique username and password provided along with company name. TransUnion also utilises the control of IP white listing and 24/7 security monitoring.
• Access restrictions in management interfaces and support channels: A policy of least privilege access is applied across the group to ensure employees only have access to what is required - this is regularly reviewed. Any privileged accounts are rigorously checked both prior to granting access, during use and on termination of permissions. Users come under multiple levels of policy regarding accounts and device usage. Networks are highly segmented with monitoring for inter-segment violations. Any sensitive systems are housed in dedicated secure environments.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • Username or password
  • Other
• Description of management access authentication: All management accounts must go through TU privileged access management, which limits access based on security groups and only provides the required access. Usernames and Passwords are domain managed and follow the Transunion Password Policy.

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 29/05/2021
• What the ISO/IEC 27001 doesn’t cover: A.14.1.3, A.14.1.2
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Payment Software Company, Inc. (DBAPSC)
• PCI DSS accreditation date: 02/08/2021
• What the PCI DSS doesn’t cover: Full Report on Compliance (ROC) can be screen shared upon request
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials Plus; PCI DSS
• Information security policies and processes: TU follows a dedicated Information Security Policy, as well as other processes such as data encryption and key management, secure application development etc.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: TU defined product development lifecycle, which includes various gates including budget, security and IT infrastructure. Small changes are captured within our internal ticketing system.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Internal scans are completed on a regular basis (Daily, Weekly, Monthly depending on the endpoint). All Critical findings must be addressed within 30 days, High/Medium 60 days and Moderate to low 90 days. Any findings that cannot meet these deadlines must have a risk acceptance review and a deadline agreed by the business.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Threat Detection Service, Data Loss Prevention team, Incident Management team - All monitoring 24/7/365
• Incident management type: Supplier-defined controls
• Incident management approach: NIST 800-61 and SANS PICERL

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Equal opportunity

  Equal opportunity

  TransUnion is a global information and insights company that makes trust possible in the modern economy. We do this by providing an actionable picture of each person so they can be reliably represented in the marketplace. As a result, businesses and consumers can transact with confidence and achieve great things. We call this Information for Good®.; ; A leading presence in more than 30 countries across five continents, TransUnion provides solutions that help create economic opportunity, great experiences, and personal empowerment for hundreds of millions of people:; ; Economic Opportunity – We help businesses find their best customers and determine the right ways to serve and keep them—through access to products and services that help them achieve their goals. ; Great Experiences – We enable our customers to deliver friction-right experiences and relevant offers tailored to specific consumer needs, preferences, and patterns, while reducing risks posed by fraud. ; Personal Empowerment – By extending tools, offers, and opportunities directly through businesses, we help more people understand and manage their financial situations, driving loyalty and cross-sell opportunities for our customers.

Pricing

• Price: £0.60 to £5.00 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark.pestereff@transunion.com. Tell them what format you need. It will help if you say what assistive technology you use.