allpay Limited

Bill Payment Solutions

allpay's Bill Payment Solutions provide organisations with all forms of payment acceptance across cash, cheque, debit/credit card and direct debit from a single provider on a single platform.

Features

• Cash, Cheque, Debit/Credit and Direct Debit, Pay by Link
• Payment Acceptance over 50,000 Post Office, PayPoint and Payzone Outlets
• Merchant Acquirirng and PCI DSS compliant Payment Gatewaty Card Acceptance
• Paperless Direct Debit Solution, inlcuding bank sponsorship and Bacs-accreditied training
• Direct Debit management solutions
• Automated Telephone Payments, Smartphonoe Mobile Application, Online e-commerce
• SMS Text Payments and Payments by Mobile App
• PCI-DSS complaint DTMF Tone Call Masking Solution for call centres
• Reccuring Card Transactions
• Chip & Pin Solution

Benefits

• Reduced administration - all Payment Services from a single supplier
• Consistency of service achieved through single platform
• Maximise Cashflow through settlement to any bank account(s)
• Secure online access to daily Reconciliation Files, reduces administration
• Full flexibility on collection days and frequencies, aiding customer take-up
• Fully-hosted soltuions, reducing burden of PCI-DSS and BACS compliance
• Comprehensive management information and reporting
• Create seamless intergration via our API's

£0.36 a transaction

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@allpay.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

833019413264172

Contact

Robert Cutler
+441432807543
tenders@allpay.net

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Any planned maintenance will be carried out outside of the normal working day to minimise any disruption to the service. Clients will be made aware of any planned work prior to commencement.
• System requirements:
  • The solution is compatible with IE9 and above
  • The solution is compatible with Chrome 24 and above
  • The solution is compatible with Safari 9, Firefox 18
  • The solution is compatible with Opera 15 and above
  • The solution is browser based with only internet access required

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: UK in-house Customer Service Contact Centre (CSCC) team is available between 08:00 and 18:00 Monday to Friday for both Client and Payer queries.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Outside the Customer Service Contact Centre hours 08:00-18:00 Monday to Friday, allpay ensures an engineer is on call 24/7 for incidents. ; allpay provides a dedicated Account Manager for day to day queries, including performance management, contract queries and any technical issues encountered.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Allpay will appoint a dedicated implementation contact to oversee the full implementation process – with weekly calls scheduled between them, the organisation's dedicated account manager and stakeholders at the Organisation. Typically the implementation would involve confirmation of payment media, payment methods, service settings at both payment networks, card and carrier approval and the receipt of test payment files to ensure compatibility. On-site or web-based training can be provided on allpay’s cloud-based portals, allowing organisations to download Payment Information Files (PIFs), set up and manage direct debits, reconcile payments and order payment cards. Training will cover user permissions, ordering, approving and managing customer accounts, with specialist Support Teams available post go-live. Online Manuals will be provided.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Allpay will work with clients to ensure a smooth exit once the contact ends. Any client data will be returned in the format requested either via SFTP or securely via allpay's management portals.
• End-of-contract process: Allpay's contract price covers the setting up of the service as agreed. If the contract has run its intended or extended term or for any other agreed reason we would return client data (as detailed in the previous question). We would offer (subject to the exact requirement) any assistance we can to allow a smooth exit and transfer to any new supplier.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Allpay provides mobile-optimised Payment Gateway pages for Bill Payments. The mobile-optimised Payment pages feature all the functionality of the desktop sites.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: API's are available for allpay's Direct Debit service, allowing organisations to seamlessly integrate allpay's cutting-edge functionality into their own CRM/Billing Systems, utilising allpay's Restful API's.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Organisations can brand allpay's online Payment and Direct Debit pages. These would be hosted by allpay, reducing the burden of compliance to organisations. ; ; Organisations can also record their own greeting and exit messages utilising allpay's automated telephone solution. ; ; User permissions for the cloud-based management portals can be configured by organisations and file formats can be customised to ensure capability. ; ; Payment Cards and carrier letters, which are delivered to bill payers, can also be branded e.g. with organisation logos, colours. ; ; Bespoke 'How to Pay' leaflets can also be branded and sent to users directly. ; ; Users can customise their payment experience by securely storing Bank Cards and Payment Reference Data to minimise time spent on the payment journey. ; ; Additionally, Payment Information Files, which detail transactions made, can be set to automatically download to the organisation's desired location via out free of charge plug-in Autoconnect.

Scaling

• Independence of resources: Allpay uses a number of utilisation tools to monitor its networks and associated equipment to ensure that all of its clients receive service in accordance with the agreed Service Levels expected. An automated reporting and monitoring process is in place for all platforms, with alert messaging provided to key business stakeholders at certain capacity thresholds. As the service components and client applications can be run on multiple servers and separate services, the architecture is inherently scalable. As such, the solution can easily grow onto multiple servers across data centres making the system horizontally scalable.

Analytics

• Service usage metrics: Yes
• Metrics types: A standard suite of reports is available and can be scheduled for delivery to the organisation, covering user management, transaction breakdowns and transaction history. allpay can also work with organisations to create bespoke reports with the option to have them scheduled. Additionally, real-time reports are available within allpay's Virtual Terminal solution which will allow organisations to view transaction history across all of allpay's card-acceptance channels.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Post Office and PayPoint

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Transfer of data between organisations and allpay uses 256-bit Advanced Encryption Standard (AES) over Transport Layer Security (TLS) 1.2, creating a secure link between the organisation’s internet browsers and allpay’s web servers, ensuring all data transmitted between the two remains secure. Data can be exported securely via allpay's management portals.
• Data export formats:
  • CSV
  • Other
• Other data export formats: ASCII
• Data import formats:
  • CSV
  • Other
• Other data import formats: ASCII

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99.5% availability excluding downtime required for planned upgrade and maintenance.
• Approach to resilience: Allpay’s data centres have full redundancy for all amenities and networking connectivity. Its data centres operate with real-time data replication supporting real-time failover between them. This provides a 99.5% availability excluding downtime required for planned upgrade and maintenance. allpay’s data centres are ISO 27001 certified. The allpay system is live 24/7/365.
• Outage reporting: Organisations will be notified in advance of any scheduled maintenance. Scheduled maintenance is communicated via our cloud-based management portal, where a message will be displayed detailing the maintenance period. Additionally, emails would be sent directly to Super Users of the portal, who are sent the scheduled maintenance period by email. Additionally, allpay has a public-facing service status page detailing the availability of all its services at all times.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Access restrictions in management interfaces and support channels: Access to allpay's management portals is authenticated via username and password. User accounts are configured with varying level of access available. The nominated super user at the organisation can create user accounts with configurable permissions. Roles can also be created to approve user actions e.g. transactions above specified value thresholds. Data is segregated in the system by unique client codes, ensuring each client only has access to their and their customers' data. Passwords must be a minimum of eight characters, alpha-numeric.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Alcumus ISOQAR
• ISO/IEC 27001 accreditation date: 08/08/2023
• What the ISO/IEC 27001 doesn’t cover: The accreditation covers all aspects of allpay's IT and Security.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: One Compliance Cyber Ltd
• PCI DSS accreditation date: 25/08/2023
• What the PCI DSS doesn’t cover: Allpay is directly PCI-DSS compliant and is a Level 1-certified Payment Services Provider and Payments Facilitator.
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • MasterCard and Visa accreditation
  • DPA Registration
  • BACS Certificate of Approval
  • Cyber Essentials Plus
  • ISO 9001
  • ISO 20071

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials Plus
• Information security policies and processes: Allpay has a fully documented and audited Security Information Policy and ISO 27001 accreditation. allpay's Head of Compliance has overall responsibility for ensuring that the policy is followed - he reports to allpay's board of directors on any related matters. A copy of the policy can be provided on request.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Allpay uses a Software Development Life Cycle (SDLC) for Software Development – a series of steps that provides a model for the development and lifecycle management of an application/software. Further to this, allpay has technical implementation plans and a change control board to verify changes prior to release into production. allpay uses an Agile development methodology and conforms to OWASP (Open Web Application Security Project). Developers also have training in secure coding techniques. allpay internally code reviews all major applications and revisions against such criteria as the OWASP top 10. ; Practices also comply with ISO 27001 and Cyber Essentials Plus.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Allpay performs monthly internal and external vulnerability scans as required by PCI. Internal auditors review systems as required and in conjunction with the allpay audit plan devised to maintain compliance with ISO 27001 & PCI standards. IT Operations have implemented various tools to monitor the health of the network, e.g. Ops Manager, Apps Manager, Tripwire, SIEM, IPS/IDS, Sophos Suite etc. Checks are made for patches and updates daily, once alerted to a new patch, IT Support will download and review the new patch within four hours of its knowledge of release.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Vulnerability scans are run against the network infrastructure for devices on a scheduled periodic basis and reports are generated on the vulnerabilities identified across the assets in each network zone. ; In response to any identified compromise, allpay has a fully documented and audited Information Security Response Plan that covers all reports of information security weaknesses or events relating to any of the organisation’s information assets. This is available on request.; allpay has in place SLAs for incident response management, detailing fix times, response times and interval updates for critical and high impact incidents. These are available on request.
• Incident management type: Supplier-defined controls
• Incident management approach: Allpay has pre-defined processes in place for incident management. This is inline with ISO 27001. allpay’s Information Security Policy Handbook provides a framework for the management of information security to minimise risk (this is available on request). The high-level procedure for responding to any security incident is as follows: • Advise Head of Compliance • Commence investigations • Submit Security Incident form • Identify and implement resolution • Produce report • Update documentation • Advise management. Incident reports are available to clients through allpay's Customer Service Contact Centre.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  As an ISO 14001, ISO 50001 and ISO 45001 accredited company, allpay is aware of the responsibilities regarding its environmental impact and has implemented company-wide initiatives and targets to reduce environmental impact, ethically and sustainably.; ; allpay is a registered producer of hazardous waste. We ensure that our disposal methods have a minimal impact on the environment and conforms to statutory and legal requirements. We have signed an agreement with a licensed waste disposal company for the collection and disposal of manufacturing waste, which is recycled.; ; allpay recently announced its intention to offer an almost 100% recycled card product by enhancing its relationship with SPICA's closed loop recycling project. ; ; Using recycled PVC contributes to the preservation of natural resources by reducing the demand for virgin PVC, helping to minimise landfill volumes. A key advantage is that recycled PVC can be recycled multiple times without significant loss of quality or performance.; ; allpay's recycled PVC cards have been approved by Mastercard and Visa and are subject to the quality standards of the Card Quality Management (CQM) system. All cards are produced to a CQM A-grade. In March, allpay passed the Mastercard Sustainability Audit and attained the Mastercard Sustainability Badge.; ; The use of modern, well-maintained equipment allows allpay to operate at very low levels of wastage for its Payment Card manufacturing. The wastage rate for its operations in previous years has been less than 1%.; ; allpay recently announced its intention to offer an almost 100% recycled card product by enhancing its relationship with SPICA's closed loop recycling project.; ; Looking ahead, we are shortly hoping to become a 'Planet Mark certified business' following an in-depth measurement and verification of our carbon footprint.; ; We have also signed a new electricity contract with Ecotricity to supply our site with 100% renewable energy from 1st September.

Pricing

• Price: £0.36 a transaction
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@allpay.net. Tell them what format you need. It will help if you say what assistive technology you use.