Skip to main content

Help us improve the Digital Marketplace - send your feedback

ECKOH UK LIMITED

Pay by Link

A PCI Level 1 compliant payment solution that enables your customer to make secure ecom payments across all channels including phone and digital, when speaking with an agent.

Pay by Link allows for de-scoping of Card Not Present payments allowing our clients to certify for PCI using SAQ-A or SAQ-D.

Features

  • PCI DSS Level 1 certified provider
  • Minimise PCI audit by fully descoping the customer environment
  • Compatible with 100% PSPs, including multiple providers
  • Supports all ecom payment types including e-wallets
  • Simple low-cost integration options for existing payment processes
  • Available across all contact channels including digital
  • Agents are always connected to the customer during a payment
  • Real-time feedback provided to the agent via CallGuard's interface
  • Patented technology
  • Real-time reporting dashboard

Benefits

  • Fraud risk reduction
  • Extends the payment options beyond traditional cards and into e-wallet
  • Turns a MOTO payment into an ecom payment reducing fraud
  • Supports the latest ecom security standards
  • Allows agents to continue guiding callers through the payment process
  • Removes agents, systems, processes and call recordings from PCI scope
  • Provides a Better customer experiences
  • Improved security
  • Continuous secure call recording for quality monitoring accuracy
  • Allows for secure call recording, existing or Eckoh's

Pricing

£18.00 to £30.00 a licence

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Louisa.Seymour@eckoh.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

6 8 0 6 7 8 0 7 7 2 8 7 0 9 3

Contact

ECKOH UK LIMITED Louisa Seymour
Telephone: 07825 219705
Email: Louisa.Seymour@eckoh.com

Service scope

Software add-on or extension
Yes
What software services is the service an extension to
Eckoh's Pay by Link service is implemented as an extension of an existing payment process, typically using a PSP hosted payment page or in-house payment page for agents to process customer payments.
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints
Only browsers which are supported for security patches and updates by their manufacturers are supported under the PCI DSS standard and therefore only these will be supported by us.
System requirements
Currently supported browsers: IE9 and above, Firefox, Chrome, Safari

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response times do not change at the weekends. Response times differ on the error severity for example: Critical (24/7 Support) - 1 hour Major - 4 Business Hours Minor - 48 Business Hours
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Onsite support
Support levels
We do not provide a tiered support structure . All support is 24x7x365 and provided as standard within the cost of the service. We provide a technical account manager within the cost of the service.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
New customers will be guided through the onboarding process by a dedicated project manager and/or their operational account manager, depending on the complexity of their requirement.

The following documents will be provided as during this process:

1. Getting started: project delivery process, service set-up and testing
2. Service pre-requisites questionnaire
3. Integration documentation
4. Training guides
5. Ongoing support, SLA, and fault reporting.

All documentation is available to download from the support section of our website.

Services are switched on for go live on a specified date in agreement with the customer.
Service documentation
Yes
Documentation formats
  • ODF
  • PDF
End-of-contract data extraction
We will provide the buyer with an extract of management information collected during the course of the contract.
End-of-contract process
Configuration data for the service can be provided at this point.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
None
Service interface
No
User support accessibility
None or don’t know
API
No
Customisation available
Yes
Description of customisation
The web pages that both the agent and customer are presented for the payment process can be customised to meet specific business requirements.
Customisation would typically be for non-standard API integration for legacy payment processes, information required to take the payment i.e. fields such as payment reference number, for displayed payment status to agents, and for branding presented to the customer.

Scaling

Independence of resources
We manage its platforms and infrastructure using a range of KPI and OPI measurements including average and peak utilization across all components. Trend analyses and sales pipeline are used to ensure that sufficient capacity is maintained for BAU operations and exceptions. Our infrastructure is deployed in a scale up and scale out design allowing for additional capacity to be added without redesign.

Analytics

Service usage metrics
Yes
Metrics types
For CallGuard Eckoh provides:
Total calls (Both inbound and outbound which can be split out)
Total minutes
Ang. duration
Attempted payments
Successful payments
Failed payments
Amount
Confirmations (email, sms)
Reporting types
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Data export is carried out by us. We will provide access to an sFTP server for users to access exported data.
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks
We can also support https for data transit over public internet where this is required.
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Our platform is built from highly resilient components and is spread across two geographically separate sites each providing resilient solutions for communications and power. As such the platform provides an availability figure of 99.9% availability per year.
Approach to resilience
This information is available upon request.
Outage reporting
If for any reason we experience an outage that affects the covered application it will be reported to the customer as soon as the agreed severity has been reached. The platform has built-in mechanisms for alerting both us and the client for any service affecting issue. Alerts can be issued via SNMP or email. Severe service affecting issues are managed by Eckoh's support team. An internal outage report is created and this will be passed on by your Account Manager to an agreed customer contact list via an email and or phone.

Identity and authentication

User authentication needed
No
Access restrictions in management interfaces and support channels
Where required we use secure login, certificates and IP whitelisting to ensure access is restricted. All access is logged and auditable.
Access restriction testing frequency
At least once a year
Management access authentication
Other
Description of management access authentication
There isn't any management access to this service

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
The British Assessment Bureau
ISO/IEC 27001 accreditation date
03/05/2019
What the ISO/IEC 27001 doesn’t cover
Nothing
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
Verizon
PCI DSS accreditation date
10/09/2021
What the PCI DSS doesn’t cover
Our entire operation and all services supplied are covered by our PCI DSS certification.
Cyber essentials
Yes
Cyber essentials plus
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Eckoh are PCI DSS Level 1
Information security policies and processes
Security of information is pivotal to the successful operation of our business. We will protect these information assets and will do this in ways that are appropriate and cost effective. This will enable us to fulfil our responsibilities and to ensure that a high quality service can continue to be delivered to our clients, their customers and our staff. By maintaining this philosophy and practice we will retain our reputation as the leading provider of hosted self-service solutions in the UK. Responsibilities for information security management are shared between the following: • Board of Directors •Group Strategy Board • UK and US Performance Management Group • Security Group • Patching and Vulnerability Group • UK and US Data Protection & Security Working Groups Membership of these groups will be maintained by the Data Protection Officer and a committee structure.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Our continued compliance with PCI requires the following: A procedure for maintaining platform hardware assets A procedure for maintaining corporate hardware (PC and laptop) asset information. A procedure for maintaining licensed software asset information. Our Change Management Process is integral to this process. The IT Director is responsible for maintaining the PCI asset register. This covers hardware and software that is in scope for PCI compliance, including in-house developed payment services, and merchant account codes. PCI asset information related to in-house payment services is captured on Request for Change forms.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We have a document that defines the standard procedure and timescale for managing security patches within the company. This includes definitions of: • the composition and role of our Patch and Vulnerability Group (PVG) • the role of senior management • the process of identifying identify newly discovered security vulnerabilities • a formal patch management life cycle process. This procedure applies to the management of security patches for our Windows and Linux platforms and to our network devices. Where applicable, the application of patches to our-hosted infrastructure is subject to agreed client change management and approval processes.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Monitoring computer systems and tracking user activity is a critical factor in protecting information security. Without effective monitoring, determining the source of security incidents would prove extremely difficult, and in such circumstances we would not be able to comply with other policies, industry standards or legal requirements. An incident is defined as an unplanned interruption to an IT or client service or reduction in quality of any service. The purpose of this policy is to define our principles and approach to incident management, resolution and longer term remedial action to minimise adverse impacts on business operations.
Incident management type
Supplier-defined controls
Incident management approach
We have a well defined policy that covers both network and information security incident management. Network incidents are those that reduce the quality or availability of IT services. Information security incidents are those which pose a threat to our information. Users can report incidents by email or phone. We follow a standard process for managing incidents from identification through impact assessment, reporting, fixing and testing to full resolution and RCA. RCA's are provided to clients via email within 5 working of incident closure.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Social Value

Fighting climate change

Fighting climate change

Eckoh as a business is working towards net zero greenhouse gas emissions. In order to achieve this, as a business, we are reviewing and identifying the changes that need to be adopted by our staff, our suppliers, our customers and how we work in our community to reduce our carbon footprint.
Wellbeing

Wellbeing

Eckoh has five values, the fifth value ‘H’ is for humanity, amongst other areas, this encompasses the well-being of our staff and the support we provide to our local community.

There are continual initiatives in the organization to support the health and wellbeing of our staff and they evolve as the world around us evolves. I.E. the initiatives during COVID and lockdown are different to the current initiatives. We provide flexible working to our employees, enabling parents to have balance in their live, not only pursuing their careers, but also allowing flexibility to manage their home lives and caring for their children or elderly relatives. We provide a range of benefits to our employees, such as Pilates, fresh fruit etc.

In the Community, our chosen charity to support is our local DENS charity, who’s aim is ‘Helping Rebuild Lives for people in Dacroum who are facing homelessness, poverty and social exclusion.

Pricing

Price
£18.00 to £30.00 a licence
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Louisa.Seymour@eckoh.com. Tell them what format you need. It will help if you say what assistive technology you use.