allpay Limited

Payout and Payout Now

allpay’s Payout solution provides simple, secure, inclusive and accessible solution to provide a channel for Cash disbursements, which can be redeemed over the counter at the Post Office.

Features

• Can be redeemed over-the-counter at the Post Office
• Nearly 12,000 Post Offices for users to cash out vouchers
• No bank account, Know Your Customer or credit checks required
• Single use vouchers which are validated in real-time
• No minimum or maximum amounts
• One month validity
• Vouchers available in various forms; email, SMS or paper

Benefits

• Batch load available for bulk requests
• All accessed via a dedicated portal
• Paper vouchers can be converted to Braille, large print
• Email vouchers available in large print and all languages
• SMS vouchers for simple quick delivery in emergency situations
• Payments can be made direct to 3rd parties
• Ongoing support from our dedicated Payout Customer Service Team

£1.42 a transaction

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at frameworks@allpay.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

706122304627672

Contact

David Roberts
07713326224
frameworks@allpay.net

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Any planned maintenance of solution will be carried out outside of the normal working day to minimise any disruption to the service. Clients will be made aware of any planned work prior to commencement.
• System requirements:
  • The solution is compatible with IE9 and above
  • The solution is compatible with Chrome 24 and above
  • The solution is compatible with Safari 9, Firefox 18
  • The solution is compatible with Opera 15 and above
  • The solution is browser based with only internet access required

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: UK in-house Customer Service Contact Centre (CSCC) team is available between 08:00 and 18:00 Monday to Friday for both client and payer queries.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Outside the Customer Service Contact Centre hours 08:00-18:-- Monday to Friday, allpay ensures an engineer is on call 24/7 for incidents. allpay provides a dedicated Account Manager for day to day queries including Performance Management, Contract queries and any Technical Issues encountered.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Allpay will appoint a dedicated Implementation Contact to oversee the full implementation process - with weekly calls scheduled between them, the organisations dedicated Account Manager and Stakeholders at the Organisation.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Allpay will work with clients to ensure a smooth exit once the contact ends.
• End-of-contract process: Allpay's contract price covers the setting up of the service as agreed. If the contract has run its intended or extended term or for any other agreed reason we would return client data (as detailed in the previous question). We would offer (subject to the exact requirement) any assistance we can to allow a smooth exit and transfer to any new supplier.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Vouchers are available via email and SMS
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Allpay’s web-based portal is compatible with IE9 and above, Chrome 24 and above, Safari 9, Firefox 18 and above, Opera 15 and above.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Allpay’s web-based portal is compatible with IE9 and above, Chrome 24 and above, Safari 9, Firefox 18 and above, Opera 15 and above.
• API: No
• Customisation available: No

Scaling

• Independence of resources: Allpay uses a number of utilisation tools to monitor its networks and associated equipment to ensure that all of its clients receive service in accordance with the agreed Service Levels expected. An automated reporting and monitoring process is in place for all platforms, with alert messaging provided to key business stakeholders at certain capacity thresholds. As the service components and client applications can be run on multiple servers and separate services, the architecture is inherently scalable. As such, the solution can easily grow onto multiple servers across data centres making the system horizontally scalable.

Analytics

• Service usage metrics: Yes
• Metrics types: Daily Management Information reports available via the portal as well as weekly Finance reports, all of which can be reconciled back to invoicing issued by allpay on a monthly basis
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Post Office

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Transfer of data between organisations and allpay uses 256-bit Advanced Encryption Standard (AES) over Transport Layer Security (TLS) 1.2, creating a secure link between the organisation’s internet browsers and allpay’s web servers, ensuring all data transmitted between the two remains secure. Data can be exported securely via allpay's management portals.
• Data export formats:
  • CSV
  • Other
• Other data export formats: ASCII
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99.5% availability excluding downtime required for planned upgrade and maintenance.
• Approach to resilience: Allpay’s data centres have full redundancy for all amenities and networking connectivity. Its data centres operate with real-time data replication supporting real-time failover between them. This provides a 99.5% availability excluding downtime required for planned upgrade and maintenance. allpay’s data centres are ISO 27001 certified. The allpay system is live 24/7/365.
• Outage reporting: Organisations will be notified in advance of any scheduled maintenance. Scheduled maintenance is communicated via our cloud-based management portal, where a message will be displayed detailing the maintenance period. Additionally, emails would be sent directly to Super Users of the portal, who are sent the scheduled maintenance period by email. Additionally, allpay has a public-facing service status page detailing the availability of all its services at all times.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Access restrictions in management interfaces and support channels: Access to allpay's management portals is authenticated via username and password. User accounts are configured with varying level of access available. The nominated super user at the organisation can create user accounts with configurable permissions. Roles can also be created to approve user actions e.g. transactions above specified value thresholds. Data is segregated in the system by unique client codes, ensuring each client only has access to their and their customers' data. Passwords must be a minimum of eight characters, alpha-numeric.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Alcumus ISOQAR
• ISO/IEC 27001 accreditation date: 04/12/2017
• What the ISO/IEC 27001 doesn’t cover: The accreditation covers all aspects of allpay's IT and Security.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Sysnet Global Solutions
• PCI DSS accreditation date: 14/03/2019
• What the PCI DSS doesn’t cover: Allpay is directly PCI-DSS compliant and is a Level 1-certified Payment Services Provider and Payments Facilitator.
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • MasterCard and Visa accreditation
  • DPA Registration
  • Cyber Essentials Plus
  • ISO 9001
  • BACS-Approved Bureau
  • ISO 27001

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Allpay has a fully documented and audited Security Information Policy and ISO 27001 accreditation. allpay's Head of Compliance has overall responsibility for ensuring that the policy is followed - he reports to allpay's board of directors on any related matters. A copy of the policy can be provided on request.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Allpay uses a Software Development Life Cycle (SDLC) for Software Development – a series of steps that provides a model for the development and lifecycle management of an application/software. Further to this, allpay has technical implementation plans and a change control board to verify changes prior to release into production. allpay uses an Agile development methodology and conforms to OWASP (Open Web Application Security Project). Developers also have training in secure coding techniques. allpay internally code reviews all major applications and revisions against such criteria as the OWASP top 10. Practices also comply with ISO 27001 and Cyber Essentials Plus.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Allpay performs monthly internal and external vulnerability scans as required by PCI. Internal auditors review systems as required and in conjunction with the allpay audit plan devised to maintain compliance with ISO 27001 & PCI standards. IT Operations have implemented various tools to monitor the health of the network, e.g. Ops Manager, Apps Manager, Tripwire, SIEM, IPS/IDS, Sophos Suite etc. Checks are made for patches and updates daily, once alerted to a new patch, IT Support will download and review the new patch within four hours of its knowledge of release.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Vulnerability scans are run against the network infrastructure for devices on a scheduled periodic basis and reports are generated on the vulnerabilities identified across the assets in each network zone. In response to any identified compromise, allpay has a fully documented and audited Information Security Response Plan that covers all reports of information security weaknesses or events relating to any of the organisation’s information assets. This is available on request. allpay has in place SLAs for incident response management, detailing fix times, response times and interval updates for critical and high impact incidents. These are available on request.
• Incident management type: Supplier-defined controls
• Incident management approach: Allpay has pre-defined processes in place for incident management. This is inline with ISO 27001. allpay’s Information Security Policy Handbook provides a framework for the management of information security to minimise risk (this is available on request). The high-level procedure for responding to any security incident is as follows: • Advise Head of Compliance • Commence investigations • Submit Security Incident form • Identify and implement resolution • Produce report • Update documentation • Advise management. Incident reports are available to clients through allpay's Customer Service Contact Centre.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  allpay have acted swiftly to government mandate by commencing Q1 2022 with a fresh and key strategic objective of formalising it’s approach to Corporate social responsibility combining it’s 3 synergistic pillars of Environmental, Social and Governance to be soundly incorporated within tender frameworks. An initiative has been formed, namely ‘ Carbon Net heroes’ within internal expertise forming the stakeholder group who alongside carefully outsourced SME consultancy pave the way and itinerary for the Environmental push to carbon neutrality constructing the sequential steps how we get there in line with CSR strategy. Furthermore, social value forms the front and centre of everything we do, with planning spearheaded from the board down across IT, Marketing, Facilities Management and our charity committees to list all the opportunities, resource and capability required to deliver just that, social value, a vehicle for social mobility in our communities. Initiatives identified include : Eradicated leased assets in Kingstone, Cheltenham (Massive reduction in energy and carbon), Car sharing and company transportation to work, Eco-card production, Electric car chargers, Careful supplier selection and due diligence , LED lighting replacement across the physical estate, WFH and online meeting first strategy, Cloud first strategy with VPNs allowing more working from home, Solar power planning , Removal of all gas off-site to electric only As an ISO 14001 and ISO 45001 accredited company, allpay takes its responsibility regarding social value incredibly seriously and as such, has implemented company initiatives and targets to reduce its environmental impact in an ethical and sustainable way. allpay recognises the main activities of its business release greenhouse gases which includes electricity, waste disposal/recycling, business travel and staff commuting. allpay endeavours to use the minimum quantities of energy for the efficient operation of its heating, lighting and production activity, with these levels decreasing year-on-year.
• Covid-19 recovery:

  Covid-19 recovery

  allpay plays an active role in local community and engages regularly with charities and local businesses to raise money for worthy causes. As part of this, allpay runs its own Charity Committee which has been in operation for 12 years – raising more than £75,000. In 2020 as the staff restaurant had to close due to COVID-19, we donated our stock to the local food bank and members of our team helped to deliver food parcels to those in need. In January 2021, allpay donated surplus coffee vending machines to The Salvation Army which was a welcomed addition once they reopened. We also donated 20 laptops to Laptops 2 Kids, a Herefordshire based charity, which provided the children with the technology they needed to learn remotely during the pandemic. Following Storm Dennis, which caused large-scale destruction to Herefordshire and surrounding counties, the Herefordshire Community Foundation (HCF) launched an appeal for donations to help those who had been significantly affected. To aid the disbursement of funds, allpay as an E-money issuer, provided its Prepaid Card Service to enable the electronic issuing of emergency payments. To support the local community, allpay decided to waive all fees for the cards, providing card manufacturing, personalisation, dispatch, and ongoing usage free of charge. In addition to this, allpay is currently supporting local Herefordshire Charity, The Living Room. The charity aims to help those on low incomes, experiencing isolation, who are lacking support. The partnership began with allpay offering to distribute free school meals and the opportunity to support a full-time member of staff has meant that the charity can now expand their offerings quicker and support more families.
• Tackling economic inequality:

  Tackling economic inequality

  allpay fully supports apprenticeship programmes and a direct contributor to the “Apprenticeship Levy” since 2017. This sees us work closely with national and local training providers in developing our programme, earning both local and national recognition. allpay offers apprenticeship training across a range of job roles and departments, stretching from entry level 3 through to Masters degree at level 7. Of its 268 staff, nearly 10% is or has been part of the programme. Apprenticeships, along with all roles, are extensively advertised on our website and social media platforms. allpay also works with a number of local Herefordshire schools to support their work experience programmes, setting aside dedicated dates for the vast majority of departments to support with individuals learning. allpay currently takes on between 8-10 work experience placements a year.
• Equal opportunity:

  Equal opportunity

  allpay has an established Equality and Diversity policy and Gender Pay Gap policy outlining its commitment to equality, diversity and fairness throughout pay structures and recruitment. All staff members have a duty to act in accordance with our Equality and Diversity Policy and treat all colleagues with dignity and respect. allpay is committed to promoting equality of opportunity for all staff and job applicants and an environment free from discrimination for everyone including those with any of the nine protected characteristics. We aim to create a working environment in which all individuals can make best use of their skills, free from discrimination or harassment, and in which all decisions are based on merit. allpay’s recruitment procedures are reviewed regularly to ensure that individuals are treated based on their relevant merits and abilities. We encourage individuals of all backgrounds to apply for existing vacancies, new opportunities or promotions and have an enviable record of growing our own people. To ensure that this policy is operating effectively and to identify groups that may be underrepresented or disadvantaged in our organisation, we monitor applicants’ ethnic group, gender, disability, sexual orientation, religion and age as part of the recruitment procedure. Provision of this information is voluntary and it will not adversely affect an individuals chances of recruitment or any other decision related to their employment. The information is removed from applications before shortlisting and are kept in an anonymised format solely for the purposes stated in this policy. Analysing this data helps us take appropriate steps to avoid discrimination and improve equality and diversity.
• Wellbeing:

  Wellbeing

  Living Wage Employer Since 2014, allpay has been proud to be accredited by the Living Wage Foundation for supporting employees by paying the real Living Wage. In an area which is one of the lowest paid counties in the UK, we are proud to be the first Herefordshire-based employer to commit to the scheme. In 2016, allpay became the West Midlands Living Wage Employer Champion, which recognised the contributions made to communities by implementing and promoting the Living Wage. To promote the scheme, allpay runs an annual Living Wage week alongside the Foundation, highlighting the value both internally and externally via our social media platforms, partner companies and suppliers. As part of its commitment to developing its workforce, allpay operates an internal Learning & Development Team, who carry out a wide range of workshops specific to both individual roles and payment services provided. For the first time in 2019, allpay ran an internal “Wellbeing Week”, aimed at promoting health, safety and mental wellbeing of our employees and the wider community. At the start of the week, each employee received their own Wellbeing Week Information guide, outlining the events and workshops available to staff throughout the week. Events included health kiosks, bitesize training, steps challenge and water consumption. Staff benefits: Staff wellbeing is of utmost importance to allpay and to such end have recently opened an outdoor space; The Four Seasons, where we have planted around 50 trees from local garden centres. This area is available to staff for dining (in addition to our 2 staff restaurants) with a heated meeting space and an indoor meeting room.

Pricing

• Price: £1.42 a transaction
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at frameworks@allpay.net. Tell them what format you need. It will help if you say what assistive technology you use.