Secure digital payments

Service scope

Software add-on or extension: Yes
What software services is the service an extension to: Eckoh's Digital Payments is implemented as an extension to CallGuard Agent Assisted Payments.
Cloud deployment model: Public cloud
Service constraints: Only browsers which are supported for security patches and updates by their manufacturers are supported under the PCI DSS standard and therefore only these will be supported by us.
System requirements: IE9 or above.

Google Chrome (30 or above).

Mozilla Firefox (27 or above).

Safari (6 or above).

User support

Email or online ticketing support: Email or online ticketing
Support response times: Response times do not change at the weekends. Response times differ on the error severity for example: Critical (24/7 Support) - 1 hour Major - 4 Business Hours Minor - 48 Business Hours
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: None or don’t know
Phone support: Yes
Phone support availability: 24 hours, 7 days a week
Web chat support: No
Onsite support: Onsite support
Support levels: We do not provide a tiered support structure . All support is 24x7x365 and provided as standard within the cost of the service. We provide a technical account manager within the cost of the service.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: New customers will be guided through the onboarding process by a dedicated project manager and/or their operational account manager, depending on the complexity of their requirement.

The following documents will be provided as during this process:

1. Getting started: project delivery process, service set-up and testing
2. Service pre-requisites questionnaire
3. Integration documentation
4. Training guides
5. Ongoing support, SLA, and fault reporting.

All documentation is available to download from the support section of our website.

Services are switched on for go live on a specified date in agreement with the customer.
Service documentation: Yes
Documentation formats: ODF

PDF
End-of-contract data extraction: We will provide the buyer with an extract of management information collected during the course of the contract.
End-of-contract process: Configuration data for the service can be provided at this point.

Using the service

Web browser interface: Yes
Supported browsers: Internet Explorer 11

Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: None
Service interface: No
User support accessibility: None or don’t know
API: No
Customisation available: Yes
Description of customisation: The web pages that both the agent and customer are presented for the payment process can be customised to meet specific business requirements.
Customisation would typically be for non-standard API integration for legacy payment processes, information required to take the payment i.e. fields such as payment reference number, for displayed payment status to agents, and for branding presented to the customer.

Scaling

Independence of resources: We manage its platforms and infrastructure using a range of KPI and OPI measurements including average and peak utilization across all components. Trend analyses and sales pipeline are used to ensure that sufficient capacity is maintained for BAU operations and exceptions. Our infrastructure is deployed in a scale up and scale out design allowing for additional capacity to be added without redesign.

Analytics

Service usage metrics: Yes
Metrics types: For CallGuard Eckoh provides:
Total calls (Both inbound and outbound which can be split out)
Total minutes
Ang. duration
Attempted payments
Successful payments
Failed payments
Amount
Confirmations (email, sms)
Reporting types: Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Conforms to BS7858:2019
Government security clearance: Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: Yes
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest: Physical access control, complying with another standard
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: Users can export as JSON over the API or CSV via the console. Other methods are available such as mySQL dump - this would need to be requested separately and may incur additional cost.
Data export formats: CSV

Other
Other data export formats: JSON

MySQL Dump
Data import formats: CSV

Other
Other data import formats: JSON

MySQL Dump

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Other
Other protection between networks: We can also support https for data transit over public internet where this is required.
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: Our platform is built from highly resilient components and is spread across two geographically separate sites each providing resilient solutions for communications and power. As such the platform provides an availability figure of 99.99% availability per year.
Approach to resilience: This information is available on request.
Outage reporting: If for any reason we experience an outage that affects the covered application it will be reported to the customer as soon as the agreed severity has been reached. The platform has built-in mechanisms for alerting both us and the client for any service affecting issue. Alerts can be issued via SNMP or email. Severe service affecting issues are managed by Eckoh's support team. An internal outage report is created and this will be passed on by your Account Manager to an agreed customer contact list via an email and or phone.

Identity and authentication

User authentication needed: No
Access restrictions in management interfaces and support channels: Where required we use secure login, certificates and IP whitelisting to ensure access is restricted. All access is logged and auditable.
Access restriction testing frequency: At least once a year
Management access authentication: Other
Description of management access authentication: There isn't any management access to this service

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: Between 6 months and 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: Between 6 months and 12 months
How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: British Assessment Bureau
ISO/IEC 27001 accreditation date: 03/05/2019
What the ISO/IEC 27001 doesn’t cover: All covered
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: Yes
Who accredited the PCI DSS certification: Verizon
PCI DSS accreditation date: 10/09/2023
What the PCI DSS doesn’t cover: Our entire operation and all services supplied are covered by our PCI DSS certification
Cyber essentials: Yes
Cyber essentials plus: Yes
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001

Other
Other security governance standards: PCI DSS Compliance Level One
Information security policies and processes: Security of information is pivotal to the successful operation of our business. We will protect these information assets and will do this in ways that are appropriate and cost effective. This will enable us to fulfil our responsibilities and to ensure that a high quality service can continue to be delivered to our clients, their customers and our staff. By maintaining this philosophy and practice we will retain our reputation as the leading provider of hosted self-service solutions in the UK. Responsibilities for information security management are shared between the following: • Board of Directors •Group Strategy Board • UK and US Performance Management Group • Security Group • Patching and Vulnerability Group • UK and US Data Protection & Security Working Groups Membership of these groups will be maintained by the Data Protection Officer and a committee structure.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Our continued compliance with PCI requires the following: A procedure for maintaining platform hardware assets A procedure for maintaining corporate hardware (PC and laptop) asset information. A procedure for maintaining licensed software asset information. Our Change Management Process is integral to this process. The IT Director is responsible for maintaining the PCI asset register. This covers hardware and software that is in scope for PCI compliance, including in-house developed payment services, and merchant account codes. PCI asset information related to in-house payment services is captured on Request for Change forms.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: We have a document that defines the standard procedure and timescale for managing security patches within the company. This includes definitions of: • the composition and role of our Patch and Vulnerability Group (PVG) • the role of senior management • the process of identifying identify newly discovered security vulnerabilities • a formal patch management life cycle process. This procedure applies to the management of security patches for our Windows and Linux platforms and to our network devices. Where applicable, the application of patches to our-hosted infrastructure is subject to agreed client change management and approval processes.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Monitoring computer systems and tracking user activity is a critical factor in protecting information security. Without effective monitoring, determining the source of security incidents would prove extremely difficult, and in such circumstances we would not be able to comply with other policies, industry standards or legal requirements. An incident is defined as an unplanned interruption to an IT or client service or reduction in quality of any service. The purpose of this policy is to define our principles and approach to incident management, resolution and longer term remedial action to minimise adverse impacts on business operations.
Incident management type: Supplier-defined controls
Incident management approach: We have a well defined policy that covers both network and information security incident management. Network incidents are those that reduce the quality or availability of IT services. Information security incidents are those which pose a threat to our information. Users can report incidents by email or phone. We follow a standard process for managing incidents from identification through impact assessment, reporting, fixing and testing to full resolution and RCA. RCA's are provided to clients via email within 5 working of incident closure.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: No

Social Value

Fighting climate change
Equal opportunity
Wellbeing

Fighting climate change

Eckoh as a business has released a Carbon Reduction Plan and is working towards net zero greenhouse gas emissions by 2045.

Equal opportunity

Eckoh is committed to promoting equal treatment for all within all areas of employment and endeavours to ensure a safe and secure environment, free from harassment and bullying, where all our people, customers, visitors and contractors are treated with dignity
and respect.

Wellbeing

Eckoh has five values, the fifth value ‘H’ is for humanity, amongst other areas, this encompasses the well-being of our staff and the support we provide to our local community.

There are continual initiatives in the organization to support the health and wellbeing of our staff and they evolve as the world around us evolves. I.E. the initiatives during COVID and lockdown are different to the current initiatives. We provide flexible working to our employees, enabling parents to have balance in their live, not only pursuing their careers, but also allowing flexibility to manage their home lives and caring for their children or elderly relatives. We provide a range of benefits to our employees, such as Pilates, fresh fruit etc.

In the Community, our chosen charity to support is our local DENS charity, who’s aim is ‘Helping Rebuild Lives for people in Dacroum who are facing homelessness, poverty and social exclusion.

Pricing

Price: £17.00 to £54.00 a licence a month
Discount for educational organisations: No
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Secure digital payments

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents