ECKOH UK LIMITED

Pay by Link

A PCI Level 1 compliant payment solution that enables your customer to make secure ecom payments across all channels including phone and digital, when speaking with an agent.

Pay by Link allows for de-scoping of Card Not Present payments allowing our clients to certify for PCI using SAQ-A or SAQ-D.

Features

• PCI DSS Level 1 certified provider
• Minimise PCI audit by fully descoping the customer environment
• Compatible with 100% PSPs, including multiple providers
• Supports all ecom payment types including e-wallets
• Simple low-cost integration options for existing payment processes
• Available across all contact channels including digital
• Agents are always connected to the customer during a payment
• Real-time feedback provided to the agent via CallGuard's interface
• Patented technology
• Real-time reporting dashboard

Benefits

• Fraud risk reduction
• Extends the payment options beyond traditional cards and into e-wallet
• Turns a MOTO payment into an ecom payment reducing fraud
• Supports the latest ecom security standards
• Allows agents to continue guiding callers through the payment process
• Removes agents, systems, processes and call recordings from PCI scope
• Provides a Better customer experiences
• Improved security
• Continuous secure call recording for quality monitoring accuracy
• Allows for secure call recording, existing or Eckoh's

£18.00 to £30.00 a licence

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Louisa.Seymour@eckoh.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

680678077287093

Contact

Louisa Seymour
07825 219705
Louisa.Seymour@eckoh.com

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: Eckoh's Pay by Link service is implemented as an extension of an existing payment process, typically using a PSP hosted payment page or in-house payment page for agents to process customer payments.
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: Only browsers which are supported for security patches and updates by their manufacturers are supported under the PCI DSS standard and therefore only these will be supported by us.
• System requirements: Currently supported browsers: IE9 and above, Firefox, Chrome, Safari

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times do not change at the weekends. Response times differ on the error severity for example: Critical (24/7 Support) - 1 hour Major - 4 Business Hours Minor - 48 Business Hours
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: We do not provide a tiered support structure . All support is 24x7x365 and provided as standard within the cost of the service. We provide a technical account manager within the cost of the service.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: New customers will be guided through the onboarding process by a dedicated project manager and/or their operational account manager, depending on the complexity of their requirement.; ; The following documents will be provided as during this process:; ; 1. Getting started: project delivery process, service set-up and testing; 2. Service pre-requisites questionnaire; 3. Integration documentation; 4. Training guides; 5. Ongoing support, SLA, and fault reporting.; ; All documentation is available to download from the support section of our website. ; ; Services are switched on for go live on a specified date in agreement with the customer.
• Service documentation: Yes
• Documentation formats:
  • ODF
  • PDF
• End-of-contract data extraction: We will provide the buyer with an extract of management information collected during the course of the contract.
• End-of-contract process: Configuration data for the service can be provided at this point.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: None
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: The web pages that both the agent and customer are presented for the payment process can be customised to meet specific business requirements. ; Customisation would typically be for non-standard API integration for legacy payment processes, information required to take the payment i.e. fields such as payment reference number, for displayed payment status to agents, and for branding presented to the customer.

Scaling

• Independence of resources: We manage its platforms and infrastructure using a range of KPI and OPI measurements including average and peak utilization across all components. Trend analyses and sales pipeline are used to ensure that sufficient capacity is maintained for BAU operations and exceptions. Our infrastructure is deployed in a scale up and scale out design allowing for additional capacity to be added without redesign.

Analytics

• Service usage metrics: Yes
• Metrics types: For CallGuard Eckoh provides:; Total calls (Both inbound and outbound which can be split out); Total minutes; Ang. duration; Attempted payments; Successful payments; Failed payments; Amount; Confirmations (email, sms)
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data export is carried out by us. We will provide access to an sFTP server for users to access exported data.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: We can also support https for data transit over public internet where this is required.
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Our platform is built from highly resilient components and is spread across two geographically separate sites each providing resilient solutions for communications and power. As such the platform provides an availability figure of 99.9% availability per year.
• Approach to resilience: This information is available upon request.
• Outage reporting: If for any reason we experience an outage that affects the covered application it will be reported to the customer as soon as the agreed severity has been reached. The platform has built-in mechanisms for alerting both us and the client for any service affecting issue. Alerts can be issued via SNMP or email. Severe service affecting issues are managed by Eckoh's support team. An internal outage report is created and this will be passed on by your Account Manager to an agreed customer contact list via an email and or phone.

Identity and authentication

• User authentication needed: No
• Access restrictions in management interfaces and support channels: Where required we use secure login, certificates and IP whitelisting to ensure access is restricted. All access is logged and auditable.
• Access restriction testing frequency: At least once a year
• Management access authentication: Other
• Description of management access authentication: There isn't any management access to this service

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: The British Assessment Bureau
• ISO/IEC 27001 accreditation date: 03/05/2019
• What the ISO/IEC 27001 doesn’t cover: Nothing
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Verizon
• PCI DSS accreditation date: 10/09/2021
• What the PCI DSS doesn’t cover: Our entire operation and all services supplied are covered by our PCI DSS certification.
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Eckoh are PCI DSS Level 1
• Information security policies and processes: Security of information is pivotal to the successful operation of our business. We will protect these information assets and will do this in ways that are appropriate and cost effective. This will enable us to fulfil our responsibilities and to ensure that a high quality service can continue to be delivered to our clients, their customers and our staff. By maintaining this philosophy and practice we will retain our reputation as the leading provider of hosted self-service solutions in the UK. Responsibilities for information security management are shared between the following: • Board of Directors •Group Strategy Board • UK and US Performance Management Group • Security Group • Patching and Vulnerability Group • UK and US Data Protection & Security Working Groups Membership of these groups will be maintained by the Data Protection Officer and a committee structure.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Our continued compliance with PCI requires the following: A procedure for maintaining platform hardware assets A procedure for maintaining corporate hardware (PC and laptop) asset information. A procedure for maintaining licensed software asset information. Our Change Management Process is integral to this process. The IT Director is responsible for maintaining the PCI asset register. This covers hardware and software that is in scope for PCI compliance, including in-house developed payment services, and merchant account codes. PCI asset information related to in-house payment services is captured on Request for Change forms.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We have a document that defines the standard procedure and timescale for managing security patches within the company. This includes definitions of: • the composition and role of our Patch and Vulnerability Group (PVG) • the role of senior management • the process of identifying identify newly discovered security vulnerabilities • a formal patch management life cycle process. This procedure applies to the management of security patches for our Windows and Linux platforms and to our network devices. Where applicable, the application of patches to our-hosted infrastructure is subject to agreed client change management and approval processes.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Monitoring computer systems and tracking user activity is a critical factor in protecting information security. Without effective monitoring, determining the source of security incidents would prove extremely difficult, and in such circumstances we would not be able to comply with other policies, industry standards or legal requirements. An incident is defined as an unplanned interruption to an IT or client service or reduction in quality of any service. The purpose of this policy is to define our principles and approach to incident management, resolution and longer term remedial action to minimise adverse impacts on business operations.
• Incident management type: Supplier-defined controls
• Incident management approach: We have a well defined policy that covers both network and information security incident management. Network incidents are those that reduce the quality or availability of IT services. Information security incidents are those which pose a threat to our information. Users can report incidents by email or phone. We follow a standard process for managing incidents from identification through impact assessment, reporting, fixing and testing to full resolution and RCA. RCA's are provided to clients via email within 5 working of incident closure.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  Eckoh as a business is working towards net zero greenhouse gas emissions. In order to achieve this, as a business, we are reviewing and identifying the changes that need to be adopted by our staff, our suppliers, our customers and how we work in our community to reduce our carbon footprint.
• Wellbeing:

  Wellbeing

  Eckoh has five values, the fifth value ‘H’ is for humanity, amongst other areas, this encompasses the well-being of our staff and the support we provide to our local community. ; ; There are continual initiatives in the organization to support the health and wellbeing of our staff and they evolve as the world around us evolves. I.E. the initiatives during COVID and lockdown are different to the current initiatives. We provide flexible working to our employees, enabling parents to have balance in their live, not only pursuing their careers, but also allowing flexibility to manage their home lives and caring for their children or elderly relatives. We provide a range of benefits to our employees, such as Pilates, fresh fruit etc.; ; In the Community, our chosen charity to support is our local DENS charity, who’s aim is ‘Helping Rebuild Lives for people in Dacroum who are facing homelessness, poverty and social exclusion.

Pricing

• Price: £18.00 to £30.00 a licence
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Louisa.Seymour@eckoh.com. Tell them what format you need. It will help if you say what assistive technology you use.