Melissa Data Ltd

PEP, Sanctions, Watchlist checks

PEPs & Watchlist checks in real time. Checks and verifies input contact data, globally. Verify an individual's: name, address, phone, email, date of birth, and national ID - against trusted reference data. Improve regulatory compliance, help prevent fraudulent transactions, and ensure trust of the people accessing services.


  • Background checks: PePs / Watchlists
  • Search UK, European and worldwide watchlists
  • REST/JSON Web service for easy integration
  • Inputs verified: Name, Address, DOB, National ID, Phone, Email
  • Matches name to address to email to phone
  • Corrects and verifies UK & Global address and contact data


  • Identify individuals from trusted UK & Global reference data
  • Enhance fraud detection and prevention (AML)
  • Identify individuals that appear on Global Watchlists
  • Enhance service delivery and process efficiencies
  • Improve held data for analytics, marketing & logistics
  • Meet KYC and Customer Due Diligence requirements
  • Keep held database up to date and compliant


£500 per licence per year

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


Melissa Data Ltd

Barley Laing

020 7718 0070

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Hybrid cloud
Service constraints The very nature of this solution with its near-real time access to identity data such as credit, government, utility, phone, postal, consumer and commercial sources requires that this be deployed in a public, private, or hybrid cloud environment.
System requirements
  • Licenced dependent on use case
  • Can be licenced as: Public; Private or Hybrid Cloud
  • Can be licensed: per country and per transaction.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Support for standard service provision is typically 20 to 24 hours, 5 day a week. Individual SLA's can be arranged if required. Response times therefore vary depending on above.
Standard service response times are within 24hrs (Monday to Friday)
SLA's can be arranged for responses within 1 hr 24/7
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Web chat is available through our website, and provides live access to our global support team. Licenced service users can also access our wiki, which contains all service documentation, best practices, sample code, service URLs, example request/response etc.
Web chat accessibility testing None
Onsite support Onsite support
Support levels Standard support is 20 hrs a day Mon to Fri. This can be via email, phone or webex. This support is provided for free for the lifetime of the service licence, and includes service training and integration assistance. Standard support is based on a ticketed system and accesses all of our global support agents.
SLA's - tailored support packages are available. These vary depending on requirement but can provide response times of within 3 hours 24/7, with named technical support engineers in a tiered escalation process. SLA costs are based on the individual requirements for uptime and support levels.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Full service start up guidance is available through our online wiki: technical documentation; sample code; service URLs; FAQs etc.

Training can be delivered: Onsite, Telephone, Online webex, and Email.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction This is clarified at the beginning of individual contracts, Melissa Data conform to the relevant regulations and procedures.
End-of-contract process Contracts & T/C's detail the period for which a service is licenced and how it can be used.

Licencee's can renew at the end of the agreed initial licence, or stop licencing the service without penalty - as long as no agreed conditions or contractual arrangements have been breached.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Services can be delivered to any screen size resolution
Accessibility standards None or don’t know
Description of accessibility Service is a Cloud API, and accessible through REST, SOAP, XML, JSON,
Accessibility testing Not known
What users can and can't do using the API Users can consume the Global ID service through an API. As such it can be integrated anywhere in an organisations process flow. Users will use a Web Portal to determine transaction counts.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The format and integration of the service can be defined by the licence holder. When providing a private cloud solution we can customise countries covered and accessed, as well as elements of result scoring and matching. This is done as professional services, not directly by the customer and quoted separately.


Independence of resources The service feature a clustered approach so incoming requests are equally distributed on many nodes ensuring consistency and failover. Service monitors have On-Demand instances ready to spin up at a moment's notice in response to load. Globally distributed DNS architecture means there aren't any single points of failure.


Service usage metrics Yes
Metrics types A count of transactions and the date submitted is kept. SNMP metrics, Server metrics and network protocol metrics are also kept for a six month duration.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach Supplied data is never stored.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach The service returns real-time JSON requests and responses that are exported to the source system by program code.
Data export formats Other
Other data export formats JSON
Data import formats Other
Other data import formats
  • REST
  • JSON

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Services will be available during each calendar quarter at least 99.99% of the time, measured inside Melissa Data’s data centers. The measurement will be in 5 minute intervals, with each 5 minute interval of downtime counting as 3.5% (5/(60 * 24)) of the downtime for the day. The system is designed for full availability during routine maintenance.
Approach to resilience The Melissa Data cloud is running Windows 2008 64 Bit servers using Network Load Balancing cluster technology in multiple geographically distributed commercial data centre locations. DNS Load balancing and web service health monitoring are enabled so unhealthy servers are removed from rotation automatically. All incoming requests are sent immediately to available servers in the cluster. Melissa Data provides monitoring and real time testing of all servers, so that any problems will be flagged and technicians notified. This design eliminates single points of failure and helps ensure high availability for critical systems.
Outage reporting Outages are reported via Email Alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication 2-factor authentication
Access restrictions in management interfaces and support channels Username and Password are required to access portals. Callers for support will need to provide an encrypted License key or have an email requesting support from an authorized person in the authorized distribution group for the requesting company.
Access restriction testing frequency At least every 6 months
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Beyond Security
PCI DSS accreditation date 1/1/2017
What the PCI DSS doesn’t cover Self attestation has been carried out. However only the Penetration test portion of the DSS certification is available from Beyond Security.
Other security certifications Yes
Any other security certifications
  • SOC 2

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards SSAE16, SOC 2, PCI DSS, HITECH
Information security policies and processes A. It is the policy of MELISSA DATA CORP. (MDC) that information, as defined hereinafter, in all its forms--written, spoken, recorded electronically or printed--will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information.
B. All policies and procedures must be documented and made available to individuals responsible for their implementation and compliance. All activities identified by the policies and procedures must also be documented. Policies will be periodically reviewed for appropriateness and currency at least semi annually.
C. At each department and/or department level, additional policies, standards and procedures will be developed detailing the implementation of this policy and set of standards, and addressing any additional information systems functionality in such department. All departmental policies must be consistent with this policy. All systems implemented after the effective date of these policies are expected to comply with the provisions of this policy where possible. At each department level periodic reporting will be made of adherence to policy to the Information Security Officer.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Web Service compatibility is maintained throughout the lifetime of the service. New versions are periodically rolled out but any deprecated elements are maintained to support existing client code. Changes are communicated well in advance and new URLs are sent out to facilitate a gradual migration to new service endpoints. All planned releases follow a security testing model that is OWASP compliant to ensure security.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Periodic training is conducted to keep all information security personnel up to date with security bulletins and vendor patches. All services are tested using the OWASP framework to ensure security guidelines are followed. Patches are rolled after testing within a few hours to a few days time depending on severity. Information security personnel are briefed by Enterprise Vendors for equipment and antivirus software, Open Threat Exchange and misc. Security professional websites.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Because Melissa Data does not store client supplied data and encrypts transmissions to and from the servers, potential compromises are greatly reduced. However even in this hardened architecture digital fingerprinting and audit techniques can be carried out and email bulletins sent out within a few minutes of an intrusion.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Logging and audit trails are kept at every level and are reviewed continuously by company personnel. Users can report incidents directly to the IT staff and reports on outages and or intrusions will be sent out via a special web service bulletin email when an event is detected and when the postmortem is generated and the remedies identified.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £500 per licence per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Access to API's for service testing (some limits on response outputs depending on application requirements)

Standard appraisal time is limited to 4 weeks, but can be extended in certain circumstances


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑