Skip to main content

Help us improve the Digital Marketplace - send your feedback

MCR SYSTEMS LIMITED

Symphony

Provision of EPoS Solution for catering outlets

Features

  • State-of-the-art EPOS Systems
  • Omni-channel Payment Solutions
  • Loyalty & Rewards
  • Online Ordering with Preorder
  • Stock Management Software
  • Business Intelligence and Analytics
  • Merchant Services for lower payment processing fees
  • Manage multi-site complex operations from a single view
  • Cross-platform available on Windows, Android and iOS.
  • Installation, maintenance, support and loan device options available

Benefits

  • manage stock and inventory accurately
  • provide an online ordering platform for food ordering
  • Provide a fully compliant cloud based EPOS solution
  • Full loyalty solution for customer engagement and reward
  • live dashboard view of entire EPOS estate on mobile device

Pricing

£240 to £480 a licence a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pjewell@mcr-systems.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

6 6 1 9 5 8 0 4 4 2 9 1 6 9 4

Contact

MCR SYSTEMS LIMITED Paul Jewell
Telephone: 0116 225 3462
Email: pjewell@mcr-systems.co.uk

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
Most releases are non-impacting, however, from time to time, maintenance is required, and any downtime is communicated well in advance. Our EPOS technology does offer offline capability to accommodate both our maintenance, and maintenance or downtime experienced on your local communications. Our system uptime for the previous 90 days is 99.9% across all services.
System requirements
  • Data Point: 1 x Network Outlet
  • TCP/IP: Static or DHCP
  • Segregated VLAN
  • 2 x 13A Mains power supply within 1m
  • Internet Connection (minimum 10Mb ADSL/DSL recommended)
  • Firewall changes to support certificate authorities
  • Option to be configured to operate with Proxy Servers

User support

Email or online ticketing support
Email or online ticketing
Support response times
45 mins to 8hr fix dependent on agreed SLA and KPI.

45 mins - Priority 1 as in cant trade through to a report wont export IE 8hrs.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), 7 days a week
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 A
Web chat accessibility testing
The webchat screen is a triage element hosted within the MCR website which is WCAG2.1A rated. This can result in a support call being solved, or triage and a support call being lodged and a support desk analyst contacting the customer.
Onsite support
Yes, at extra cost
Support levels
PRIORITY: Priority call out (within 3-business days), loan device, full access to the Support Deck and remote support. Up to 2x on-site callouts per POS Terminal device per contract year is included within this service.

ENHANCED: As above in Priority (same or next business day), plus includes parts and labour for the POS terminal, including screen, main-board, power supply, but excludes replacement of parts for faults diagnosed as Hard Drive/SSD or related to hardware faults of peripheral devices (MSR, printers etc). Up to 3x on-site callouts or replacement part services per device per contract year are included within this service.

ENHANCED PLUS: As above however Up to 5x on-site callouts or replacement part services per device per contract year are included within this service.

MCR supplies a named and dedicated AM as a daily contact and they run weekly and monthly check-ins and a full quarterly business review attended by Head of Support, Commercial, and the dedicated project Manager.

All costs include SAAS support and the support costs are determined by level and hours covered, ranging from £10 a month per device through to £50
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Initial consultancy meetings will be held to establish the primary goals and functional requirements of the client, identify stakeholders, and understand deployment timelines. The MCR Project Management team are Prince2 trained. The assigned MCR PM/Consultant will find the ‘best-fit’ strategy for implementing the deployment of Symphony to meet these requirements, with the aim of delivering accurate and invaluable data to the right members of your management team at the right time to enable strategic decision making. Part of this process will include defining user roles within the clients’ business, establishing a training plan, and confirming the site structure within the database.

Full project plan is shared with agreed project meetings and milestone meetings, to include all system build, install and training from project kick off to Go-Live.

All training materials are issued post training with access to multiple online learning tools and reference materials including webinars and full illustrated release notes.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • .xls
  • Wiki links
  • Webinars
  • Video tutorials
  • Illustrated release notes
  • Hard copy - discouraged where possible
End-of-contract data extraction
Users can run reports and extract data in html, .xls, .csv. PDF and Word formats. In addition, we provide a full data export file to customer SFTP server either the morning after the days before trading, or live throughout the trading day.

MCR can export data if agreed with the client to assist with any offboarding or audit exercises.
End-of-contract process
The contract is pre-agreed before going live, this will cover all onboarding costs, training, hardware, set up and install as well as license and ongoing SAAS licenses as examples.

Prices are usually subject to CPI increase at the anniversary of the go live date, however for multi-year contracts price increases maybe frozen for initial term. Contracts go up in prices if you increase the size of your estate (Relative to number of licences) and if you take additional services not taken on commencement,

Off boarding runs the project in revers, once notice is given and exit dates agreed, your MCR PM will take you through the offboarding process, including any data exports, reports etc.

The client owns the hardware and they may choose to use this with another supplier, should they not, then dependent on age of device MCR may look at buying back or offer a full WEE Disposal service.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
Yes
Compatible operating systems
  • Android
  • IOS
  • Windows
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Built specifically for mobile and tablet, the solution is device aware and browser agnostic - resizing to maximise the space available.
Service interface
Yes
User support accessibility
WCAG 2.1 A
Description of service interface
Dependant on the required service, a number of APIs are available.
Accessibility standards
WCAG 2.1 A
Accessibility testing
Mixture of tooling - including Google Lighthouse for testing.
API
Yes
What users can and can't do using the API
APIs available to import products, prices, operators and additional metadata
API documentation
Yes
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
The solution is completely configurable. System administrators within the client have the ability to customize the solution in every aspect from product, through promotions, stock, loyalty and loyalty rules and pre-order solution. Screens can be customized and completely bespoke by outlet or even POS point.

Scaling

Independence of resources
We are able to scale out and up the infrastructure as needed depending on demand and time of year for example.

Analytics

Service usage metrics
Yes
Metrics types
Depending on the detail required, it can be available via various routes.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
No
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can run reports and export this data. In addition MCR have a module which can export more detailed information on a scheduled basis.
Data export formats
  • CSV
  • Other
Other data export formats
  • XLS
  • PDF
  • DOC
  • HTML
  • JSON
Data import formats
  • CSV
  • Other
Other data import formats
  • XML
  • JSON
  • XLS

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
MCR Systems hosting is via our hosting partner, GTT, who we are entering our 10th year in partnership with. We have a primary hosting centre near London and a live DR site in Slough. The platform is covered under AoC as a SAQ-D solution as well as cyber essentials. MCR have a 24/7/365 team monitoring security events and incidents utilising the very latest SIEM (Security Information and Event Management) and FIM (File Integrity Monitoring) software and uses next generation firewalls as well as data base level encryption. MCR databases automatically replicate on to alternative servers using the high availability servers so downtime is less then 1% across a 12 month period. Our hosting platform is fully assessed by an external Qualified Security Assessor as SAQ-A and SAQ-P2PE PCI DSS Compliant and our Data Processor is registered with the ICO. We have a full DR with defined RPO and RTO failover procedures.

We have a target of system uptime availability of 99% across a 12 month period.
Approach to resilience
MCR Systems hosting is via our hosting partner, GTT, who we are entering our 10th year in partnership with. We have a primary hosting centre near London and a live DR site in Slough. The platform is covered under AoC as a SAQ-D solution as well as cyber essentials. MCR have a 24/7/365 team monitoring security events and incidents utilising the very latest SIEM (Security Information and Event Management) and FIM (File Integrity Monitoring) software and uses next generation firewalls as well as data base level encryption. MCR databases automatically replicate on to alternative servers using the high availability servers so downtime is less then 1% across a 12 month period. Our hosting platform is fully assessed by an external Qualified Security Assessor as SAQ-A and SAQ-P2PE PCI DSS Compliant and our Data Processor is registered with the ICO. We have a full DR with defined RPO and RTO failover procedures.
Outage reporting
There is a public dashboard which customers can view to see whether any services are down. In addition, there are email alerts. Finally, major customers will be contacted by telephone for significant outages.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
User role based access management.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
Between 1 month and 6 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Intertek
ISO/IEC 27001 accreditation date
31/08/2023
What the ISO/IEC 27001 doesn’t cover
The protection of data during the sales, design & development, delivery, support and and maintenance of a POS solution and support services in accordance with Statement of Applicability issue 1.0.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
Claranet Limited
PCI DSS accreditation date
22/03/2024
What the PCI DSS doesn’t cover
AOC available.
Cyber essentials
Yes
Cyber essentials plus
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
MCR Systems have multiple policies and processes as part of ISO27001 including, but not limited to, policies on:
Information Security Policy; Governance Reporting; Starter, Leavers and Changes; Security Training; PCI DSS Security Training; Password and MFA; Systems Service Provider; Access Control; BYOD policy; Acceptable Usage; Clean Desk; Visitors; Risk Management; Incident Response; Data Classification; Data Protection and GDPR; Data Retention and Removal; Data Breach; Asset Management; Patch Management; BCP and DR; Software Development; Change Control; Cloud Services; PCI DSS Acknowledgement; P2PE Instructions; IT Security Testing; Logging and Monitoring; Endpoint Security; Network Management; Vulnerability Management; Physical Security; Data Encryption; Firewall Policy.

These policies are distributed using the KnowBe4 software at least once a year and have to be acknowledged by all employees.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
MCR Systems have robust configuration and change management processes and this is reviewed as part of ISO 27001 and PCI DSS audits. All changes must be approved at a weekly CAB meeting. In addition the change request must include testing results, security considerations and a rollback plan as well as implementation and communication plans.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Potential Threats are identified by multiple sources such as SOC, our third party managed security provider, software suppliers (e.g. MSRC notifications), other security sources, ASV scans, pen tests.
These threats are assessed and ranked with consideration also given to technical constraints, customer impact and compensatory controls.
Critical/zero day vulnerabilities are patched as soon as physically possible. Other vulnerabilities are patched between 7 and 30 days depending upon their risk and assessment ranking.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Potential compromises could be identified by multiple sources such as IOCs on the SIEM, users reporting unexpected behaviors, our SOC team seeing suspicious activities. MCR have a data breach policy which is followed. The response depends on the circumstance and usually include a mixture or all of the following: detection, initial investigation and analysis, isolation and containment, impact assessment, communication to stakeholders, forensics investigation, recovery or restores, mitigations, lessons learnt and policy reviews. The speed of the response depends on the risk of the incident but are usually treated as urgent (GDPR which has a 72 hour reporting requirement).
Incident management type
Supplier-defined controls
Incident management approach
MCR Systems has pre defined processes in a security incident response policy for common events. Users report incidents via telephone, email or logging tickets from their desktop. Reports are created manually for major incidents.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Social Value

Social Value

Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

Fighting climate change

The hospitality industry now can calculate the greenhouse gas footprint of menus, and our solution has the ability to have this information displayed on the till under product information along with allergen and nutritional content in all POS journeys, Self-serve journeys and within the APP.

Should you make use of the MCR native label printing and you may print a label for a made product on site IE a Sandwich containing this information also. Please bear in mind appropriate label sizing so that all information on the label is clearly legible. The label module will pick up label sizes for more environmentally friendly labels should you choose to print them .

As part of our journey to ISO 14001 – we have closely looked at how our activities impact not just the environment but our immediate environment and have swapped packaging to be compostable and fully recycled and recyclable where possible.
We have switched from packing “wotsits” to a a recycled and compostable packaging, including the outer boxes where possible, we ask supplier to use recycled materials and limit the contents of non recyclable materials.

We have started to measure our carbon footprint with targets over the next 12 months, 3 and 5years to reduce this significantly.

We have a full e-receipt module to remove the requirement for printed receipts and we also offer a full kitchen management solution to further reduce the requirement to print.

Equal opportunity

We strive to ensure that we carry out actions and conduct our business in a progressively moral and ethical manner. Acting ethically is one of the underlying principles of our Company and its business. Our aim is to ensure consistent and fair treatment of each other and to uphold the professional standards that we expect. This means, among other things, that we conduct our work and our internal and external professional relationships with integrity and in line with all relevant professional standards and guidelines.
This Policy is written in accordance with the Equality Act (2010), and its purpose is to:
▪ provide equality, fairness and respect for all in our employment, whether temporary, part-time or full-time,
▪ not unlawfully discriminate because of the Equality Act protected characteristics of age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race (including colour, nationality, and ethnic or national origin), religion or belief, sex (gender) and sexual orientation,
▪ oppose and avoid all forms of unlawful discrimination. This includes in pay and benefits, terms and conditions of employment, dealing with grievances and discipline, dismissal, redundancy, leave for parents, requests for flexible working, and selection for employment, promotion, training or other developmental opportunities.
The Equality Act brings together 116 pieces of separate discrimination law to provide a legal framework to protect the rights of individuals and advance equality of opportunity for all.

Our full policy is available for review on request

Wellbeing

We have recently launched Mental health first aid courses for our employees and are conscious to provide to everybody the tools and environment for them to feel valued, supported and understood.

We are a very inclusive company with weekly news bulletins containing full department and company updates along with a full in person quarterly townhall meeting in a social setting.

Pricing

Price
£240 to £480 a licence a year
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
A full proof of concept SOW is agreed, with defined time periods and defined success criteria, with the pre-agreement that should criteria be met then a contract is agreed.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pjewell@mcr-systems.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.