Vix Technology Ltd

Vix Whisper

The Whisper pay-as-you-go (PAYG) EMV Service provides all essential elements to deliver easy fare payments with bank cards on public transport. The Whisper solution is delivered from a highly reliable and secure cloud service infrastructure.

Features

• Intuitive ‘tap and go’ access to transport via contactless EMV
• Reduction of fare media management and related costs.
• Touchless, efficient boarding, removing driver interaction and cash handling
• Stepping-stone towards future account-based ticketing and MaaS
• A 24x7 PCI-DSS compliant payment platform service
• Training and documentation to support
• API and developer support to enable local innovation and agility
• A maintained EMV transit scheme service with ongoing enhancements
• Customers always charged fairly, building trust.
• SaaS model removes the expense and resource burden from PTOs

Benefits

• Connection to a service, continually enhanced by Vix
• Quickly deploy transit contactless EMV payment services
• Lower Total Cost of Ownership for Transit Operators
• Removes the Back Office fare management from PCI-DSS scope
• Reduces management and compliance overheads and avoids external audit
• Architecture based on years of Vix payment processing experience
• Payment scheme rule changes updated by Vix
• Allows operations staff to focus on services not payments
• Vix validator integration supported out of the box
• Operators benefit from automated debt recovery and first-ride risk coverage

£23,000 an instance a month

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at uk.tenders@vixtechnology.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

775653522537737

Contact

Tim Burke
01223 697000
uk.tenders@vixtechnology.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Whisper is a maintained service with ongoing enhancements providing a stepping-stone towards future fare collection technologies, such as account-based ticketing and MaaS.
• Cloud deployment model: Public cloud
• Service constraints: Maintenance windows will be provided as part of the overall negotiated service package and are planned to take place outside of regular service hours to minimise the service impact.
• System requirements: Requires API integration with external Front and Back Office systems

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Questions will be responded to within 2 Hours of receipt within normal working hours. Response times for Incidents, Problems etc can be discussed and agreed prior to contract sign off but typically the Vix Service Desk team adheres to a 30 minute response window. Response time is subject to 24/7 out of hours cover but fault rectification is contingent on contractual agreements for out of hours cover based on criticality.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Service level is negotiated based on customer business needs. Service levels ranging from UK business hours to 24/7 are available, and can be packaged with other service and support components of the solution. Support costs will vary depending on the amount of cover required and the size of the deployment but would be detailed as part of the original quotation & negotiation. Maintenance services include access to Vix Level 1, Level 2, and Level 3 support personnel via our ticketing system, which include field service personnel, application support engineers, cloud engineers, and software developers depending on the nature of the issue. Vix will provide a Customer Success Manager to liaise between the customer and the Vix Technical Teams, and conduct monthly service reviews. Vix will provide monthly Service Reporting summarising each month's activities.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: This will all be defined during the project phase and scoped to suit. This will include provision of documentation and training sessions. Training sessions are primarily done via online training methods now except where onsite presence is required. We are flexible to our approach to training and willing to discuss alternatives based on customers' needs and preferences.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Provisions will be made during the end-of-contract process to provide any information required. This will be captured as part of the wider discussion of contract termination.
• End-of-contract process: The platform is provided as a SaaS model. Once the contract concludes, the service will no longer be accessible. Specific inclusions may vary based on agreed contracts but typically include the provision of the software and the requested number of licenses, and a support/maintenance component for raising faults, setting up users, resetting passwords, etc. At the end of the contract, system(s) would no longer be accessible and maintenance/support would cease.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: WCAG 2.1 AAA
• API: Yes
• What users can and can't do using the API: The Whisper API is used for integration to external services such as Front Office devices, Back Office systems and Acquirer Services. Integration through these APIs is part of the service setup process.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • ODF
  • PDF
  • Other
• API sandbox or test environment: Yes
• Customisation available: No

Scaling

• Independence of resources: The service leverages Amazon’s scalability

Analytics

• Service usage metrics: Yes
• Metrics types: Monthly KPI report as standard to all customers.; Service Management metrics, SLA adherence, & availability.; Additional in-depth analysis is available via service request to our service desk team.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Other
• Other data at rest protection approach: Sensitive data is encrypted per PCI-DSS using keys stored in AWS CloudHSM. No GDPR-related data is processed.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: PCI-DSS compliant tokenised data exported to back office AFC systems.
• Data export formats: Other
• Other data export formats:
  • Tokenized data shared with complaint systems as per PCI-DSS.
  • JSON
• Data import formats: Other
• Other data import formats:
  • Tokenized data shared with complaint systems as per PCI-DSS.
  • JSON

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: Other
• Other protection within supplier network: HSM-based AES256 encryption, SHA-256 hashes, TDEA-CMAC message authentication

Availability and resilience

• Guaranteed availability: Services are hosted in AWS. SLAs can be agreed upon contract commencement.
• Approach to resilience: Leveraging AWS multi-AZ services
• Outage reporting: Online monitoring event stream for customer monitoring systems.; Outage reporting is provided via email alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Other
• Other user authentication: Cloud provider IAM for infrastructure management. ; Industry standard products used for 2FA to OS-level access.
• Access restrictions in management interfaces and support channels: Management interfaces are whitelisted. Access to the service and environment is restricted to approved personnel only.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Control Case
• ISO/IEC 27001 accreditation date: 23/11/2018
• What the ISO/IEC 27001 doesn’t cover: Vix has full ISO27001 certification in addition to the mandated cyber essentials.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Control Case
• PCI DSS accreditation date: 18/01/2018
• What the PCI DSS doesn’t cover: The Whisper service is fully PCI-DSS compliant
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Vix is ISO/IEC 27001 certified. We maintain a documented ‘Information Security Management System (ISMS)’ as part of this certification.; We have created, maintain and adhered to a set of System Policies, Standards and Procedures, which are used to identify and mitigate any information risk. Example policies include Server Security, Remote Access and Acceptable Use Policies. Staff are required to both read and implement policies day to day depending on their role. Some policies such as the acceptable use policy is read by all staff and a signed acknowledgment to adhere to the policy obtained ; Vix conducts regular training for all staff to ensure policies are followed, including information security and data protection. This occurs when they join the company (including contractors and non-permanent staff). New training modules are also issued monthly to all staff covering a variety of topics including a focus on data handling, collection, processing, transfers, and legislation (GDPR, UK Data Protection Act etc).; We have an internal Cyber Security Council that meet monthly to review our security position and any incidents/actions required. Additionally, we have processes in place to react to and manage security incidents, which includes customer engagement and reporting.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: ITIL v3 best practices.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Vulnerability and Risk Management Policies and Process as required by PCI-DSS Requirement 6 and 11; SIEM, FIM, AV, and vulnerability scanning tools used
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Regular reviews are performed as required by PCI-DSS. A SIEM is used by our 'follow the sun' Security Operations Centre (FTS SOC) to monitor and detect security incidents. The FTS SOC teams are located in UK, USA and Australia and we use common Incident Response playbooks to respond to incidents to ensure consistency.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Incident Response and Test Procedures as required by PCI-DSS Requirement 12.10; Incident Response Documentation with roles and responsibility and incident workflow from initial discovery through to forensics investigation if a potential breach occurred

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Vix has set environmental targets, emphasising waste reduction, CO2 emissions mitigation, and improved energy efficiency. Our commitment to environmental preservation is evident through our ISO 14001:2015 certified Environmental Management System. We prioritise compliance with environmental laws, product sustainability, waste reduction, and pollution prevention. Additionally, we engage suppliers to uphold environmental standards and foster staff involvement through training programs. Our ambitious goal is to achieve net-zero emissions by 2030, primarily through emission reduction and offsetting, particularly utilising natural carbon sinks like forests. This comprehensive strategy reflects our unwavering dedication to sustainability and environmental responsibility.; In 2020, we initiated a partnership with the UK's National Forest to offset our carbon footprint and assist customers in offsetting theirs. We meticulously track energy usage, travel, waste, and recycling, offsetting our 250-tonne CO2 emissions through tree planting. Our monthly reports demonstrate steady progress towards our net-zero goal by 2030. Transitioning to renewable energy-powered platforms like Google Suite and AWS supports our sustainability objectives. Furthermore, our regional hubs in Cambridge and Leeds operate on renewable energy, adhering to ISO14001 standards. Initiatives such as recycling programs, energy-efficient lighting, and policies promoting low-emission vehicles underscore our commitment to environmental responsibility. Notably, we are actively transitioning all maintenance vehicles to electric variants, already replacing vehicles in Scotland and Yorkshire, as part of our dedication to climate resilience.; We rigorously assess our supply chain to ensure alignment with Vix's environmental processes, encouraging suppliers to adopt effective practices like using recycled packaging materials. Subcontractors and suppliers undergo thorough vetting during initial due diligence and regular audits to ensure sustained compliance with Vix standards. We measure supplier performance using our Supplier Performance Improvement tool, emphasising accountability and continuous improvement in environmental practices.

  Equal opportunity

  Our company policy upholds laws against discrimination, including on the basis of disability, ensuring equal employment opportunities for all. We prohibit any form of discrimination by our employees. Vix actively accommodates qualified individuals with disabilities, whether they are applicants or employees. ; Vix is an equal opportunity employer and makes employment decisions on the basis of merit; we want to have the best available person in every role. In cases where multiple candidates for an open position have the required qualifications, Vix will consider choosing the candidate who will further diversify the Company’s talented employee base. ; We have a DEI charter and also our Flexible working approach is very supportive of people with disabilities, giving them freedom to work in an environment that suits. If someone declares a disability, we ask them if there are any reasonable adjustments we can make via our Occupational Health services.; Our Equal Opportunities policy ensures that wage parity is adhered to regardless of gender. Our HR team undertakes periodic salary benchmarking to ensure that salaries are aligned to or exceed industry norms.; We have a global Whistleblowing Procedure, offering a secure platform for employees to voice any concerns they may have.; Personal Development Plans (PDRs) outlining work targets, personal growth goals, and feedback through quarterly and annual performance reviews are undertaken for all. We prioritise regular 1-2-1s with line managers and tailor personal development to each individual’s goals.; Vix complies with Section 54, Part 6 of the Modern Slavery Act 2015, aiming to prevent slavery and human trafficking within our operations and supply chain. We have a supplier and partner Code of Conduct and a Modern Slavery & Human Trafficking Statement, which Suppliers must declare acknowledgement of and comply with. Vix is opposed to slavery, trafficking in persons, and forced labour in any form.

  Wellbeing

  Vix prioritises practices that enhance both physical and mental wellbeing while minimising absenteeism. We offer wellbeing initiatives including flexible working hours, which promotes a culture of performance, collaboration and accountability. We facilitate wellbeing sessions via video conferences, where staff can share ideas and tips to maintain a healthy work-life balance. ; We convey to the teams that Mental Health should be treated in the same sympathetic way as physical health. Teams are trained to recognise common symptoms and to reach out to colleagues to offer help, or to report any serious concerns to HR. All line managers are encouraged to undertake daily, or as a minimum, weekly check in calls with their team members.; We provide an Employee Assistance Programme with a 24/7 helpline for confidential advice. Our successful annual flu vaccination programme reduces sickness days. Additionally, we offer subsidised private healthcare and childcare vouchers . ; We recognise the importance of community outreach, linking community benefits to our services, while providing a positive perception of our customers within communities which may help to encourage an uplift in public transport use.; We provide Digital Inclusion drop-in training sessions with the rural communities and existing community groups who are dedicated to delivering inclusivity. We work with schools, colleges and organisations who provide care for children. These workshops will outline how technology is used to maintain and improve public transport services. They link this to wider national objectives such as reducing carbon emissions, traffic congestion and helping participants understand why improved public transport services benefit the economy and communities by providing social inclusion, access to employment, leisure services and tourism. We further provide careers advice to participants, describing the kinds of careers that are available within our industry. The aim will be to encourage participants to consider a career in this crucial economic sector.

Pricing

• Price: £23,000 an instance a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at uk.tenders@vixtechnology.com. Tell them what format you need. It will help if you say what assistive technology you use.