Cirrus

Cirrus PCI Pro User License

Our individual user licence allows your organisation to only provision access for those who require PCI DSS Compliant payment processing functionality, meaning you only pay for what you need.

Features

  • Card data collected and processed through Level 1 accredited platform
  • Concurrent transaction licensing
  • Agent and caller remain in contact, no voice suppression
  • Card data entered through telephone keypad
  • Calls can be recorded for their full duration
  • Real-time verification of data input accuracy

Benefits

  • De-scopes the full contact centre from PCI DSS Controls
  • Enhanced customer experience
  • Recorded calls are not compromised
  • Agents retain control of the process without accessing sensitive data
  • Cost effective and efficient solution

Pricing

£15 per user per month

Service documents

Framework

G-Cloud 11

Service ID

2 1 9 7 7 3 5 0 5 0 3 0 6 5 1

Contact

Cirrus

Sales

0333 103 3440

sales@cirrusresponse.com

Service scope

Software add-on or extension
Yes
What software services is the service an extension to
Cirrus PCI Pro Card Payment Module
Cloud deployment model
Private cloud
Service constraints
No.
System requirements
  • Business grade internet connection
  • Internet browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
Cirrus services are supported 24 hours a day, 365 days a year for all service faults. For day to day support there are 3 levels of support customers can opt for; • Fully Managed Service - 24/7 • Fully Managed Service – Business Hours • 2nd Line Support – Business Hours. Pricing is provided under the Cirrus Support Services for G Cloud 11 Service Listing. You will be assigned a Service Delivery Manager, details of this can be found within the Service Definition document accompanying this listing.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AAA
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AAA
Web chat accessibility testing
Web interface accessibility testing Cirrus has a number of existing customers with users who require assistive technology.
Onsite support
Yes, at extra cost
Support levels
Cirrus services are supported 24 hours a day, 365 days a year for all service faults. For day to day support there are 3 levels of support customers can opt for; • Fully Managed Service - 24/7 • Fully Managed Service – Business Hours • 2nd Line Support – Business Hours. Pricing is provided under the Cirrus Support Services for G Cloud 11 Service Listing. You will be assigned a Service Delivery Manager, details of this can be found within the Service Definition document accompanying this listing.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We provide a fully managed implementation service designed to migrate customers from legacy solutions to Cirrus. We have a unique training and knowledge transfer process, '30, 60, 90'. You can find more details in our Service Definition document accompanying this listing.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
The customer will need to extract any customer generated statistics and data from the platform, all data not already transferred over to the customer will be transferred VIA SFTP to a nominated location. There is a per GB cost for the transfer, please refer to your pricing calculator for the transfer costs, Cirrus will confirm the file size once notice has been received.

All remaining customer data will be destroyed will be following a 28 day data extraction period.
End-of-contract process
Cirrus provides a simple and quick exit process for customers. Additional costs are related to data extraction, if there are any remaining call recordings on the Cirrus platform.
Customers can give notice in accordance with the terms in the contract.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Chrome
Application to install
Yes
Compatible operating systems
  • Android
  • IOS
  • MacOS
  • Windows
  • Windows Phone
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
None
Service interface
No
API
Yes
What users can and can't do using the API
The Cirrus API suite offers customers a broad range of integration and process automation options. The API is designed to allow rapid deployment of services. The APIs can be set up via the Cirrus portal, with a intuitive GUI interface which allows customers to self manage the setup and change of integrations using our APIs. Cirrus has a common language (RESTful) and open API policy, where users proficient in URL-based HTTP APIs can interoperate across all our pre-written APIs. These enable multiple functions, for integration, for example data workflows, UI enhancements and UI automation. Multiple APIs can be used to deliver complex requirements. The APIs can be set up via the Cirrus portal, with a intuitive GUI interface which allows customers to self-manage the setup and change of integrations using our APIs.
API documentation
Yes
API documentation formats
PDF
API sandbox or test environment
No
Customisation available
No

Scaling

Independence of resources
Capacity is managed and customers are prevented from consuming an onerous amount of resource

Analytics

Service usage metrics
Yes
Metrics types
We provide network and platform availability, service availability, service usage and performance of customers contact centre.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Data is available via online portal download.
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Data is transited between data centres via private Ethernet backbone links.

Availability and resilience

Guaranteed availability
99.999%. We have a service level agreement in place and a service credit regime in the event that we do mot meet or surpass or uptime metrics. You can find details of this in the Service Definition document accompanying this listing.
Approach to resilience
We have described our cloud architecture and how we set it up to achieve maximum resiliency for all of our customers in the Service Definition document accompanying this listing.
Outage reporting
Dashboards, Email, SMS and Voice IVR alerts where the circumstance require.

Identity and authentication

User authentication needed
Yes
User authentication
Username or password
Access restrictions in management interfaces and support channels
Cirrus administers roles based access for all of our services.
Access restriction testing frequency
At least every 6 months
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
23/08/2016
ISO/IEC 27001 accreditation date
QMS International Ltd
What the ISO/IEC 27001 doesn’t cover
Cirrus has implemented the following in relation to ISO27001:
1. Understanding business information security requirements and the need to establish policy and objectives for information security
2. Implementing and operating controls in the context of managing the Company’s overall business risk
3. Monitoring and reviewing the performance and effectiveness of the ISMS
4. Continual improvement based on objective measures
5. Communicate throughout the Company the importance of meeting all relevant statutory and regulatory requirements specifically related to its business activities
6. Ensuring that adequate resources are determined and provided to monitor and maintain the ISMS.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
7Safe
PCI DSS accreditation date
14/09/2016
What the PCI DSS doesn’t cover
The following high-level controls are specified by the PCI DSS; responsibility is shown for each control within the Cirrus platform (Cirrus or Customer) 1. Install and maintain a firewall configuration to protect cardholder data. Responsibility: Cirrus 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Responsibility: Cirrus 3. Protect stored cardholder data. Responsibility: Cirrus (note: Cirrus does not store cardholder data within its platform) 4. Encrypt transmission of cardholder data across open, public networks. Responsibility: Cirrus 5. Protect all systems against malware and regularly update antivirus software or programs. Responsibility: Cirrus 6. Develop and maintain secure systems and applications. Responsibility: Customer and Cirrus Note: If the customer has developed their own software applications which are part of their PCI scope then it is their responsibility. 7. Restrict access to cardholder data by business need to know. Responsibility: Cirrus 8. Identify and authenticate access to system components. Responsibility: Cirrus 9. Restrict physical access to cardholder data. Responsibility: Cirrus 10. Track and monitor all access to network resources and cardholder data. Responsibility: Cirrus 11. Regularly test security systems and processes. Responsibility: Cirrus 12. Maintain a policy that addresses Information Security for all personnel. Responsibility: Cirrus and Customer.
Other security certifications
Yes
Any other security certifications
  • Cyber Essentials
  • Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
We are ISO 27001 accredited and we have information security policies and processes in place across the organisation. Our reporting structure is as follows; 1. The Directors have approved all processes and policies 2. Overall responsibility for Information Security rests with the ISMS Manager 3. 5. All employees or agents acting on the Company’s behalf have a duty to safeguard assets, including locations, hardware, software, systems or information, in their care and to report any suspected breach in security without delay, direct to the Operations Director and/or the ISMS Manager.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
The configuration management processes are part of the overall Service Asset and Configuration Management process. Our Configuration Items (CIs) include hardware, software, buildings, people and formal documentation and the relevant information is managed throughout the lifecycle. The processes for doing this are clearly documented, for example Change Control processes.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
The Cirrus network is monitored by Zabbix and PRTG software which collects various statistics from servers, applications, and devices. • External vulnerability scans (frequency) Quarterly • Internal vulnerability scans Yes • External Penetration Test (frequency) Quarterly. Penetration testing is conducted on the network perimeter and infrastructure, and websites used to host, process or transmit client Data. • Internal Penetration Test Yes Our database is monitored and reviewed to determine required security related patches. We use an industry accredited Anti-Virus, updates are minimum once daily.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
The service is monitored 24 hours a day. Any potential compromises are immediately alerted via email and SMS to the security team. Response time and rates are specific to the nature of the potential compromise, for example, a user failing authentication 3 times in under 5 minutes would be treated differently to a user failing authentication 50 times in under 60 seconds.
Incident management type
Supplier-defined controls
Incident management approach
Cirrus has standard incident management procedures in place to ensure that we are able to restore a service as quickly as possible and to minimise adverse impact on business operations. Customers are able to raise an incident or service request by telephone or email. Queries to Cirrus Support are logged as cases within our support system and categorised according to Priority. Customers receive incident reports via email.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Yes
Connected networks
NHS Network (N3)

Pricing

Price
£15 per user per month
Discount for educational organisations
No
Free trial available
No

Service documents

Return to top ↑