Direct Debit Processing

Our Direct Debit service is highly automated increasing the efficiency of your Direct Debit collections – reducing costs and risks for your organisation.

It allows you to automate more of the process, optimising the speed and accuracy but, removing the risk of managing it all yourself.


  • Only your name appears on your customers’ bank statements
  • Validation of bank accounts at sign-up
  • Access to a web-based admin portal
  • All Direct Debit sign-up methods - paper and paperless
  • Sending of advanced notifications
  • Individually ‘ring-fenced’ client accounts
  • Full submission history
  • Automated Bacs submissions


  • Award-winning customer service
  • Omni-channel support
  • Reduce customer churn
  • Improve operational efficiency
  • Integrate with your finance systems
  • Reduce the risk of errors


£0.35 per transaction

Service documents


G-Cloud 11

Service ID

2 0 8 8 5 4 1 5 7 8 3 9 8 0 9



Sales team

01276 851820

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Ticket are typically resolved in under 3 business hours, there is no weekend support
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
Our web chat is powered by a market leading third party supplier and conforms to modern web standards.
Web chat accessibility testing
Our web chat is powered by a market leading third party supplier.
Onsite support
Onsite support
Support levels
We provide omni-channel support during business hours. Support is included within your contract.
Support available to third parties

Onboarding and offboarding

Getting started
We provide every user online training and we operate an online service portal which contains helpful user documentation. We offer Bacs accredited Direct Debit training onsite as an additional service.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Export of data is possible in standard formats as required by Bacs.
End-of-contract process
At the end of the contract the customer has the ability to export their data. There are no additional costs for this action.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Our portal is grid based so will display across desktop, mobile and tablet however the best experience is through desktop.

The Direct Debit sign-up portal is mobile responsive.
Service interface
Description of service interface
We have an online Direct Debit management portal to manage all aspects of Direct Debit collections and reporting. We also have an API service which connects to the core processing functions and SFTP.
Accessibility standards
None or don’t know
Description of accessibility
Our portal is built on modern web application standards using bootstrap with no restrictive technologies such as flash.
Accessibility testing
We haven't conducted any testing with assistive technology.
What users can and can't do using the API
SmartDebit API® gives you direct access to the core of our Direct Debit processing systems, giving seamless integration with greater control.

We can provide reliable Rest APIs (Application Programme Interface) for every function associated with the Direct Debit collection process, from payer sign-up, collection submissions, automatic re-presents and reporting.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
White labelling of the product is possible and multiple role configurations are included.

Customisations can be made by SmartDebit.


Independence of resources
Within each data centre, traffic for each application is intelligently
load-balanced between at least two application servers, though
more are available to be added if needed. Capacity is managed such
that any one application server can handle all normal production
traffic, so there is consistent over-provisioning. Virtualised
application servers within a pool are also spread between different
physical hosts to ensure redundancy in the case of physical
hardware failure.


Service usage metrics


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
Less than once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Data can be exported through a system interface within the application or by SmartDebit staff upon termination.
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats
  • CSV
  • Other
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
Other protection within supplier network
Our network is switch isolated from anyone else's

Availability and resilience

Guaranteed availability
SmartDebit target a service availability of 99.5% during Bacs operating hours.
Approach to resilience
SmartDebit uses two premium UK data centres run by
commercially-separate suppliers to host all customer-facing
services. All sensitive payer data is stored here, and not in our office
locations. We have our own hardware and private racks in each data
Outage reporting
Status API call. We have a series of other mechanism which exist to alert SmartDebit to issues.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
Support channels use a reviewed used rights matrix that is updated and reviewed each time an “event” happens. Critical support accounts have logging for actions and role changes that alert Infrastructure. There is a separation of concerns between operational and admin staff. There is a separation of concerns between day to day and admin capable accounts. Root level support accounts have changing passwords and must have requests for access approved by the Head of Infrastructure. We have configurable user roles and permissions across our applications. Access is only available to a select group of users. All changes are audit logged.
Access restriction testing frequency
Management access authentication
  • 2-factor authentication
  • Username or password
  • Other
Description of management access authentication
Yubikey as required.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
The Certification Group Ltd
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Our certification covers SmartDebit as a company.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Financial Conduct Authority (FCA) 2017

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Audited ISO 27001:2013 processes and controls.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We track components of our services using ServiceNow, asset tracking and configuration management tools for software through their lifetime. Changes are assessed monthly at a security forum for any security related change. Prior to the change occurring, approval must be obtained from the Chief Information Officer. Change control for all systems is implemented through IT service management tools. All changes to any system or network component are detailed in the relevant configuration change history record. All changes meet the foundation requirements for industry best practices as detailed within the Information Technology Infrastructure Library (ITIL).
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Anti-virus mechanisms are deployed on all SmartDebit computers and company systems are further protected by a perimeter appliance. All mechanisms are kept current and updated regularly. Vulnerability scans are performed monthly and kept for a minimum of 1 year. All in-house applications are developed using corporate standards for development and secure coding techniques. Depending on threat level patching occurs within two days for emergencies or monthly as standard. Our Infrastructure team compares threat advices from Industry advices, news feeds, National CyberCrime centre and alerts from AV providers with the infrastructure layout and conducts monthly coordinating security forums for process review.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Inside our network, we deploy ESET antivirus and Malware Bytes anti-malware to scan automatically anything which is downloaded or installed. These are centrally controlled and flag immediate issues on discovery of suspicious software. Risks and logs are reviewed at monthly security meetings for process improvement and user education.

We identify compromises following alerts from IDS/IPS scans and receive alerts for changes in user rights, network traffic, firewalls or AV/antimalware systems.

We respond to incidents within an hour and, we have an emergency infrastructure CAB invoking security incident process which is detailed in our incident management policy.
Incident management type
Supplier-defined controls
Incident management approach
We operate an Incident Priority Matrix with defined targets for response and resolution for incidents based upon priority and severity. Incident support for existing services is provided during core BACS operating hours.

Users report incidents through the ITSM tool as a single source of data. Incidents will be populated with the required information to allow rapid determination of priority.

Regular reviews of incident response and resolution times are undertaken to ensure compliance with agreed SLA. The incident manager ensures that incidents are correctly escalated, tickets that are approaching SLA will be escalated to the CIO.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£0.35 per transaction
Discount for educational organisations
Free trial available

Service documents

Return to top ↑