paygate

paygate

paygate is a feature-rich payment platform that works with any ERP, Payroll or accounting system to manage all your Bacs payments, Faster Payments and Direct Debit collections. Driving payment efficiency by reducing time, cutting costs and eliminating risk from one robust, ultra-secure solution.

Features

  • Secure cloud solution with replication between multiple instances in AWS
  • Support for Bacs Direct Credits, Direct Debits & Faster Payments
  • Support for Direct, Indirect & Bureau payment submissions
  • Expert support provided by a highly experienced UK team
  • Compatible with any ERP system or accounting package
  • Customisable workflows to suit your unique business sign-off processes
  • Intuitive user-friendly interfaces with context-sensitive help
  • Consolidate multiple bank accounts across multiple banks
  • Secure alternatives to smartcards using two-factor authentication
  • Audit friendly - retains a digital audit trail of actions

Benefits

  • Stay up-to-date – navigate regulatory change and access new features
  • Built-in disaster recovery aids contingency planning
  • No transaction charges means predictable costs as your business grows
  • Check and validate data at multiple stages to ensure accuracy
  • Avoid non-compliance risk with rock solid reporting
  • Demonstrate evidenced monitoring with full audit trails
  • Manage and simplify complexity with easy process automation
  • Set rules, policies and limits to ensure accurate processing
  • Facilitate supremely secure mobile and flexible working
  • Manage spend and ROI with modular components

Pricing

£1,750 an instance a year

Service documents

Framework

G-Cloud 12

Service ID

1 7 5 8 5 0 9 4 5 5 5 9 4 1 9

Contact

paygate Sales Team
Telephone: 01462 482 333
Email: sales@paygate.uk

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
ERP, CRM, Payroll, Finance and Accounting Packages - any source system that generates input data for your payments (Credits, Debits, DDIs etc)
Cloud deployment model
Hybrid cloud
Service constraints
Planned maintenance to the service is undertaken outside of standard business hours and Bacs processing times. Customers are advised in advance and service interruptions are kept to a minimum.
System requirements
  • Any mainstream browser can be used for access
  • Internet Explorer required if using smartcards for signing

User support

Email or online ticketing support
Email or online ticketing
Support response times
For Priority 1 issues our standard SLA is to respond within 1 business hour. For lower priority issues, in practice most email tickets are responded to within 2 hours.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
As standard you are given a dedicated account manager as your key point of contact. For any technical issues, our customer support team are also available to you within your contracted support hours, for which we provide two levels:

- Standard Support, provided by default, covers Monday to Friday (excluding UK bank holidays) from 0900-1700 (UK time)
- Enhanced Support, provided at an additional cost, covers Monday to Friday (excluding UK bank holidays) from 0900-2100 (UK time)

Pricing for Enhanced Support is included on our price list.

Remote support is provided by default, should a technical support engineer be required to visit your site directly, this would be chargeable as per our price list.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
A dedicated account manager is assigned for each customer, and contact details of our support team provided as part of onboarding.

Full training on the use of paygate is provided. This includes checks on all the users that have been configured for the customer – including access rights, permissions and how the user can create, process and approve payments - as well as test submissions using the customer's service user numbers and file formats. An extensive online help library is also available within paygate, and our support team are on hand to answer telephone and email queries, or to provide additional training if requested.
Service documentation
Yes
Documentation formats
HTML
End-of-contract data extraction
Users can access, view and download reports and data relating to each individual submission that has historically been processed through paygate. Reports can also be run and downloaded to show all data held against an individual bank account and sortcode.

Users can access, view and download system configuration reports that set out how groups, users and user roles have been configured within paygate.

Users can run and download audit logs that show what and when system changes were made by whom.

Any files that remain unprocessed within the platform can be downloaded.
End-of-contract process
At the end of the contract, the customer's access to paygate is revoked with all user profiles disabled. Customers can export any required data direct from the application.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install
No
Designed for use on mobile devices
No
Service interface
Yes
Description of service interface
Paygate is accessed via a browser. Users log in to perform desired functions by selecting options from menus and shortcuts. An action list allows quick access to key items that require the attention of the user. Intuitive screens and prompts guide users through required steps and alert them to items that require action.
Accessibility standards
None or don’t know
Description of accessibility
The design of paygate is such that all efforts have been made to ensure the software is accessible. There is no audio/video only content, non-text content is minimal and always has a text alternative to ensure understanding. Information is presented in a structural and sequential manner on clearly titled pages/sections so that the process to be followed can easily be inferred. Colour is not used as a sole means of conveying information or as a prompt for action, and there is no flashing/scrolling content.
Accessibility testing
Our standard testing process as part of software development always ensures that logical and commonsense processes and design elements are used - our focus is always on clarity and ease of use rather than on graphical design for it's own purpose. The accessibility as described above is covered as part of this common testing process.
API
Yes
What users can and can't do using the API
APIs exist across the product and the scope and range of these is expanding all the time. Please contact us to discuss your requirements more fully so that we can best advise you on what APIs can be used.
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Paygate includes powerful file mapping tools so that it will work with any input files (from your CRM/ERP etc) that you are using. Business Process Automation options also allow workflows to be created and customised to suit your ways of working and drive increase efficiency. Whether that is enabling lights-out submission to Bacs, downloading and transforming reports, or simply manipulating and moving files before emailing users.

Scaling

Independence of resources
Overall volume of activity and available capacity is monitored 24x7 to ensure system resources are reviewed and enhanced accordingly.

Analytics

Service usage metrics
Yes
Metrics types
Transaction reports, Submission reports, Collection reports, Audit reports, Workflow reports
Reporting types
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Reports and summaries held in paygate can be viewed and downloaded at any time if a user has the relevant access permissions assigned to them (control of these permissions is under the remit of the customer).
Data export formats
  • CSV
  • Other
Other data export formats
  • XML
  • HTML
  • XLSX
Data import formats
  • CSV
  • Other
Other data import formats
  • We can work with any input data format
  • Bacs Standard18

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
SSH for SFTP
Optional AES256 data encryption for file upload
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
SSH for SFTP
AES256 data encryption for all data

Availability and resilience

Guaranteed availability
We offer at least a 99.5% uptime availability in a given month - with a credit given for each full hour that paygate is unavailable.
Approach to resilience
Paygate employs full data replication and resilience across multiple instances in high availability mode. Further details are available upon request.
Outage reporting
In the event of an outage, we would automatically transfer connection to our secondary instance, and advise customers by email or telephone as required. There is a portal that you can subscribe to for scheduled maintenance windows and this same portal can also alert subscribed users to any messages via email / slack messaging etc.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
Only our dedicated and security cleared support team are given access, via a separate and secure network, to the live customer platform. This access is controlled by username/password as well as two factor authentication, and audit logs of who is accessing the live platform and the activities being undertaken are recorded, stored and reviewed regularly.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • Cyber Essentials Plus
  • Bacs Approved Software Supplier
  • Bacs Approved Bureau
  • Bacs Approved Software Supplier to Bureaux

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
Other
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
We operate an Information Security policy that protects all our owned and 3rd party owned Information Assets (including people, data, media, devices or systems) which are transferred to our care. We also adhere to our responsibilities to protect Information and Personal Data through our own systems or via 3rd party providers. We maintain a number of further policies and procedures such as an Acceptable Use policy, Access Control policy, Change Management policy, Disaster Recovery policy & a Business Continuity policy, and ensure that all employees are aware of their responsibilities and comply with the policy aims through training and regular awareness of the policies as well as any updates or changes.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All changes are fully tested and released under a prescribed change management process. The process identifies changes that are required, ensures agreement on the changes from stakeholders, tracks the progress of the changes centrally, ensures full testing of the changes, delivers the changes, and updates all documentation with the changes.

This approach ensures that all changes are implemented in an organised manner, ensures that no unnecessary changes are made, and ensures that all changes are properly considered for the impact and benefit that they will have.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We maintain a internal vulnerability management policy that includes regular vulnerability scanning and assessments and audits of all infrastructure and devices to identify, assess and remediate any technical vulnerabilities as soon as they are identified. We maintain an approved software list. Our patch management process ensures that security updates and patches are implemented as required. We undertake regular penetration tests that are performed by accredited third parties.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Monitoring is in place 24x7x365 to ensure that our services are constantly assessed and reviewed to monitor for any potential threats or attacks. We utilise IDS, use PRTG, firewalls and real-time monitoring through a 24x7 NOC/SOC. If any potential impacts are identified then action is taken immediately to analyse, identify and implement corrective and preventative actions.
Incident management type
Supplier-defined controls
Incident management approach
Through 24x7 monitoring, our incident management process ensures that as soon as an incident is detected and alerts are generated, action is taken immediately to analyse, identify and implement corrective and preventative actions, updating customers and implementing a disaster recovery plan if required. Users can report incidents directly to our service team as required. Customers would be kept updated, and incident reports would be issued as required after our root cause analysis, and corrective actions have been completed.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£1,750 an instance a year
Discount for educational organisations
No
Free trial available
No

Service documents