PayPoint

Cash Out, Open Payments and e-Gift Card Services – Supermarket Vouchers

Cash Out – issue customers with vouchers redeemable for cash or energy credit at any of PayPoint's 28,000 retailers. PayPoint OpenPay – deposit digital voucher into bank accounts, BACs or Faster Payments. Food, Clothing and White Good vouchers. Services available via a simple online portal or API.

Features

• Cash disbursement service
• Stores generally open 7 days and over 100 hours week
• Convenient locations for customers
• Accessed via online portal so no development requirement
• Vouchers can be issued via SMS, Email or Post
• Can be exchanged for cash or energy credit

Benefits

• Remove your cash holding requirement
• Quickly and easily issue vouchers
• Can issue individually or bulk upload
• Control user access and individual limits
• Issue any amount in pounds and pence up to £100
• Set redemption time limit, i.e. must redeem in 30 days

£0.80 a transaction

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ianranger@paypoint.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

623113929895034

Contact

Ian Ranger
01707 600388
ianranger@paypoint.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: The PayPoint service is available 24/7 and we operate a full disaster recovery facility to provide complete service resilience. In the event we do carry out system maintenance, we provide our clients with notice and schedule overnight to ensure minimal disruption.
• System requirements:
  • Our service is available via Internet Explorer 9+
  • Compatible with latest version of Chrome
  • Compatible with latest version of Firefox
  • Compatible with latest version of Opera
  • Compatible with Safari

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 2 working days
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: The PayPoint Client Management team are available 9 to 5:30 Monday to Friday. Outside of core hours, we maintain an operational contact centre that is available 24/7 to deal with any urgent issues.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: PayPoint's Client Implementation team will provide you with an overview of the online portal and any training requirements your staff may need. You can decide how many members of staff to set up as Users of the service. Staff access the web portal using a digital crypto token that we provide.
• Service documentation: No
• End-of-contract data extraction: All reports can be accessed via the portal.
• End-of-contract process: In the event the buyer transfers to another supplier, PayPoint will help to ensure a smooth transition. There would be no additional costs.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: No

Scaling

• Independence of resources: PayPoint operates a 24/7 real time on-line system, supported by dual data centres to ensure full service availability at all times. Across all payment channels, PayPoint has an enviable track record of near total up-time, meeting industry best standards and this extends to resilience in the event of major service problems. During peak periods, PayPoint processes over 10 million transactions a week. ; ; We operate a disaster recovery service with active-active running across dual data centres. Business continuity plans are regularly tested and apply the best practices of security standards.

Analytics

• Service usage metrics: Yes
• Metrics types: As well as providing a daily batch transaction file (csv format), PayPoint provide an online dashboard so buyers can see card payment transactions in real time.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: Data is held in a private subnet which is only accessible via a VPN; bank data is encrypted and not visible in plain text. ISAE 3402 I-Movo (as entirely hosted in Azure); RSM (as entirely hosted in AWS). Backup and storage of tapes: Encrypted using CommVault; Company laptops: Encrypted using Bitlocker. Obfuscating and Encryption techniques: Where appropriate to the risk (following ISO 27001, PCI DSS Compliance standards)
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: PayPoint provide clients with daily transaction files which contain details of all transactions processed the previous day. These csv files can be distributed via email, FTP or SFTP (Push or Get). ; ; For our MultiPay services (DD, Online, IVR and App), clients have access to a portal to monitor transactions and run reports. ; ; Our Cash Out service also enables clients to pull data and run reports via the online portal.
• Data export formats:
  • CSV
  • Other
• Other data export formats: Excel
• Data import formats:
  • CSV
  • Other
• Other data import formats: Excel

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Our terms and conditions include SLA's to give our clients assurance that we will provide a high level of availability. These include all payment terminals being available to capture customer payments for at least 99% of the retailers opening hours. For our MultiPay services we also have a minimum 99% uptime service level. ; ; Failure to achieve our performance standards results in liquidated damages and compensation payments to our clients.
• Approach to resilience: PayPoint operates a 24/7 real-time on-line system, supported by dual data centres to ensure full service availability at all times for both our over the counter and MultiPay platforms. PayPoint has an enviable record of near total up-time, meeting best industry standards and this extends to resilience in the event of service problems. We have full disaster recovery for our services with active-active running across dual data centres. Business continuity plans are regularly tested.
• Outage reporting: In the event of a service disruption, notifications via e-mail are issued to our clients to make them aware. Maintenance work is generally scheduled overnight to minimise disruption and advance notice is provided.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Any access to our interfaces requires the end user to enter their Username and Password. For our Cash Out service, users are provided with Crypto tokens which they require to access the service. We also record the users IP address so they can only access from that address and we can provide security levels and limits on the value of vouchers that can be issued.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Standards Institute (BSi)
• ISO/IEC 27001 accreditation date: 14/08/2022
• What the ISO/IEC 27001 doesn’t cover: The Information Security Management System relating to the operation by PayPoint Network Ltd of systems for the collection of customer payments and the dispensing of cash through the PayPoint and PayByPhone branded network of retailer terminals, ATMs and mobile device payment schemes.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Foregenix Ltd
• PCI DSS accreditation date: 17/05/2023
• What the PCI DSS doesn’t cover: N/A
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: PayPoint has a documented Group Information Security Policy and Security Policy Framework both compliant with ISO27001:2013. These are supported by a suite of other policies and procedures published for staff on our Intranet. Examples include anti-virus protection, vulnerability management, internet and e-mail use, staff training, risk management and incident reporting.; ; We ensure compliance to these policies by implementing our own internal audit system, employing third party auditors to target specific areas of governance and we are subject to registration visits twice per year for ISO27001:2013, once per year for PCI DSS and a number of audits for LINK compliance. All staff including contractors are expected to complete an information security induction when they begin at PayPoint and all staff are given refresher training once per year. All staff are expected to complete both GDPR and DPA training on our learning management system. The company has established a Cyber Security Sub-Committee and the board actively participate in both strategic risk reviews and incident exercises.; ; PayPoint has a Risk and Compliance team comprising of a Head of Risk and Compliance, a Risk and Compliance Manager, a Fraud and Police Investigations Officer and a Technical Security Analyst.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: PayPoint has a documented change management procedure. Development and production environments and staff are segregated. There is a weekly change review board that must approve any change before it is deployed to production. There is a facility for emergency changes to be released but this requires senior IT Management approval. PayPoint has dedicated project managers, a dedicated configuration manager and a documents software development process. In production, change managers have oversight of product deployments. Every weekday there is a meeting on the operations bridge to review all technical incidents changes and business in hand.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: PayPoint uses supplier defined controls, these comply with PCI DSS, ISO27001:2013 and LINK requirements. PayPoint is registered to the first two standards and a member of the third.; PayPoint has a documented vulnerability management policy and has an in-house resource who conducts monthly ASV scans. ; PayPoint's Patch Review Board reviews vulnerabilities, available patches and priority of patch deployment. Critical and high rated security patches are typically deployed within a month. Critical patches may be deployed more quickly. ; PayPoint uses McAfee anti-virus software and EPO is configured and tested to issue virus alerts when any potentially suspicious item is detected.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: PayPoint uses McAfee anti-virus software and Mimecast mail scanning. EPO is configured and tested to issue virus alerts when any potentially suspicious item is detected. Our standing procedure is to identify the device, remove it from the network and begin scans. ; ; We operate a 24/7 Operations Bridge which monitors services and operational incidents so we can respond as quickly as possible.
• Incident management type: Supplier-defined controls
• Incident management approach: PayPoint is registered for ISO27001 and is PCI compliant. In the event of an incident, we will notify our clients via e-mail. If Users identify an incident, they should contact their Account Manager or the Operations bridge if outside core hours. PayPoint provide incident reports via e-mail where appropriate.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  Supporting customers and retailers, enabling clients to provide vital ; services in the community.

Pricing

• Price: £0.80 a transaction
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ianranger@paypoint.com. Tell them what format you need. It will help if you say what assistive technology you use.