ECKOH UK LIMITED

Payment IVR

An automated self-service, PCI DSS compliant solution enabling customers to make card payments conveniently and securely over the phone at any time. This solution offers the same levels of confidence about data security for customers who prefer to self-serve.

Features

• 24x7x365 PCI DSS compliant automated card payments
• Customisable call flow script and voiceover
• Can be used for disaster recovery
• Calls can be transferred to a live agent
• Phone number/calls can be routed from your current number
• SMS or email to confirm customer transaction.
• Integrated with all major PSPs including GOV.UK Pay
• All major cards accepted.
• Automated IVR payments

Benefits

• Handles peaks in demand, relieving pressure from contact centres
• 24x7x365 availability allows customers to make payments anytime, anywhere
• Reduces the scope of PCI DSS compliance
• Prevents card data from being handled by contact centre agents
• Removes circa 90% of payment calls from the contact centre
• Improves agent productivity

£0.10 to £0.25 a transaction a month

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Louisa.Seymour@eckoh.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

640060509108958

Contact

Louisa Seymour
07825 219705
Louisa.Seymour@eckoh.com

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: All Eckoh Services in G-Cloud can be used together to improve and secure the customer payment journey. Services that can be used together and extended are: IVR Pay Automated Payments and Agent Assisted Payments
• Cloud deployment model: Public cloud
• Service constraints: NA
• System requirements:
  • All IVR payment calls need to route through the platform
  • Buyers must be contracted with a PSP
  • Buyers must provide a suitable Merchant ID for the channel

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times do not change at the weekends. Response times differ on the error severity for example: Critical (24/7 Support) - 1 hour Major - 4 Business Hours Minor - 48 Business Hours
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: We do not provide a tiered support structure, all support is 24x7x365 and provided as standard within the cost of the service. ; We provide a technical account manager within the cost of the service.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: New customers will be guided through the onboarding process by a dedicated project manager and/or their operational account manager, depending on the complexity of their requirement.; ; The following documents will be provided as during this process:; ; 1. Getting started: project delivery process, service set-up and testing; 2. Service pre-requisites questionnaire; 3. Integration documentation; 4. Training guides; 5. Ongoing support, SLA, and fault reporting.; ; All documentation is available to download from the support section of our website. ; ; Services are switched on for go live on a specified date in agreement with the customer.
• Service documentation: Yes
• Documentation formats:
  • ODF
  • PDF
• End-of-contract data extraction: We will provide the buyer with an extract of management information collected during the course of the contract.
• End-of-contract process: We will cease the service, at which point calls will not be answered. Configuration data for the service can be provided at this point.

Using the service

• Web browser interface: No
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The buyers end customers can make payments through a provided responsive web page which means the functionality of the page is the same for both desktop and mobile.
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: No

Scaling

• Independence of resources: We manage our platforms and infrastructure using a range of KPI and OPI measurements including average and peak utilization across all components. Trend analyses and sales pipeline are used to ensure that sufficient capacity is maintained for BAU operations and exceptions. Our infrastructure is deployed in a scale up and scale out design allowing for additional capacity to be added without redesign.

Analytics

• Service usage metrics: Yes
• Metrics types: For EckohPay Eckoh provides; Total calls (including call data i.e. CLI, avg. call length ...) ; Repeat calls ; Success of payments; Breakdown of card type; Total amount; Attempted payments; Total payments
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data export is carried out by Eckoh. Eckoh will provide access to an sFTP server for users to access exported data.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: We can also support https for data transit over public internet where this is required.
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Our platform is built from highly resilient components and is spread across two geographically separate sites each providing resilient solutions for communications and power. As such the platform provides an availability figure of 99.99% availability per year.
• Approach to resilience: This information is available upon request.
• Outage reporting: If for any reason we experience an outage that affects the covered application it will be reported to the customer as soon as the agreed severity has been reached. The platform has built-in mechanisms for alerting both us and the client for any service affecting issue. Alerts can be issued via SNMP or email. Severe service affecting issues are managed by our support team. An internal outage report is created and this will be passed on by your Account Manager to an agreed customer contact list via an email and or phone.

Identity and authentication

• User authentication needed: No
• Access restrictions in management interfaces and support channels: Where required we use secure login, certificates and IP whitelisting to ensure access is restricted. All access is logged and auditable.
• Access restriction testing frequency: At least once a year
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: The British Assessment Bureau
• ISO/IEC 27001 accreditation date: 03/05/2019
• What the ISO/IEC 27001 doesn’t cover: Nothing
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Verizon
• PCI DSS accreditation date: 10/09/2023
• What the PCI DSS doesn’t cover: Our entire operation and all services supplied are covered by our PCI DSS certification.
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • PCI DSS Level One
  • ISO 27001

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Eckoh are PCI DSS Level 1
• Information security policies and processes: As a managed services provider, we recognises that the security of information is pivotal to the successful operation of our business. We will protect these information assets and will do this in ways that are appropriate and cost effective. This will enable us to fulfil our responsibilities and to ensure that a high quality service can continue to be delivered to our clients, their customers and our staff. By maintaining this philosophy and practice we will retain our reputation as the leading provider of hosted self-service solutions in the UK. Responsibilities for information security management are shared between the following: ; • Board of Directors ; • Group Strategy Board ; • UK and US Performance Management Group ; • Security Group ; • Patching and Vulnerability Group ; • UK and US Data Protection & Security Working Groups Membership of these groups will be maintained by the Data Protection Officer and a committee structure.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Our continued compliance with PCI requires the following: A procedure for maintaining platform hardware assets A procedure for maintaining corporate hardware (PC and laptop) asset information. A procedure for maintaining licensed software asset information. Our Change Management Process is integral to this process. The IT Director is responsible for maintaining the PCI asset register. This covers hardware and software that is in scope for PCI compliance, including in-house developed payment services, and merchant account codes. PCI asset information related to in-house payment services is captured on Request for Change forms.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We have a document that defines the standard procedure and timescale for managing security patches within the company. This includes definitions of: • the composition and role of our Patch and Vulnerability Group (PVG) • the role of senior management • the process of identifying identify newly discovered security vulnerabilities • a formal patch management life cycle process. This procedure applies to the management of security patches for our Windows and Linux platforms and to our network devices. Where applicable, the application of patches to Eckoh-hosted infrastructure is subject to agreed client change management and approval processes.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Monitoring computer systems and tracking user activity is a critical factor in protecting information security. Without effective monitoring, determining the source of security incidents would prove extremely difficult, and in such circumstances we would not be able to comply with other policies, industry standards or legal requirements. An incident is defined as an unplanned interruption to an IT or client service or reduction in quality of any service. The purpose of this policy is to define our principles and approach to incident management, resolution and longer term remedial action to minimise adverse impacts on business operations.
• Incident management type: Supplier-defined controls
• Incident management approach: We have a well defined policy that covers both network and information security incident management. Network incidents are those that reduce the quality or availability of IT services. Information security incidents are those which pose a threat to our information. Users can report incidents by email or phone. We follow a standard process for managing incidents from identification through impact assessment, reporting, fixing and testing to full resolution and RCA. RCA's are provided to clients via email within 5 working of incident closure.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Eckoh as a business has released a Carbon Reduction Plan and is working towards net zero greenhouse gas emissions by 2045.

  Equal opportunity

  Eckoh is committed to promoting equal treatment for all within all areas of employment and endeavours to ensure a safe and secure environment, free from harassment and bullying, where all our people, customers, visitors and contractors are treated with dignity ; and respect.

  Wellbeing

  Eckoh has five values, the fifth value ‘H’ is for humanity, amongst other areas, this encompasses the well-being of our staff and the support we provide to our local community.; ; There are continual initiatives in the organization to support the health and wellbeing of our staff and they evolve as the world around us evolves. I.E. the initiatives during COVID and lockdown are different to the current initiatives. We provide flexible working to our employees, enabling parents to have balance in their live, not only pursuing their careers, but also allowing flexibility to manage their home lives and caring for their children or elderly relatives. We provide a range of benefits to our employees, such as Pilates, fresh fruit etc.; ; In the Community, our chosen charity to support is our local DENS charity, who’s aim is ‘Helping Rebuild Lives for people in Dacroum who are facing homelessness, poverty and social exclusion.

Pricing

• Price: £0.10 to £0.25 a transaction a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Louisa.Seymour@eckoh.com. Tell them what format you need. It will help if you say what assistive technology you use.