An agent-assisted payment solution that enables customers to make multichannel payments – phone, online or Live Chat - when speaking with an agent.
Eckoh’s CallGuard cloud solution provides full PCI DSS Level 1 de-scoping of customer environments for Card Not Present (CNP) payments, including alternative payments such as ApplePay, GooglePay,Paypal


  • PCI DSS Level 1 certified provider
  • Minimised PCI DSS audit support
  • Compatible with 100% PSPs, including multiple providers
  • DTMF Masking or tokenisation prevents card data entry
  • Minimal integration
  • Available across various channels
  • Any contact centre agent can take a secure payment
  • Fully de-scopes the customer environment
  • Patented technology
  • Can overlay with existing technology


  • Fraud risk reduction
  • Extends the payment options beyond traditional cards and into e-wallet
  • Reduces time and resources to completing PCI DSS audit questionnaire.
  • Allows agents to continue guiding callers through the payment process
  • Removes agents, systems, processes and call recordings from PCI scope.
  • Reduces payment card provider transaction costs.
  • Better customer experiences.
  • Improved security
  • Continuous call recording for quality monitoring accuracy.


£0.23 to £0.32 per transaction

Service documents


G-Cloud 11

Service ID

2 7 0 7 2 8 9 4 6 5 2 2 6 6 1



Louisa Seymour

07825 219705

Service scope

Service scope
Software add-on or extension Yes
What software services is the service an extension to All of our Services in G-Cloud can be used together to improve the customer contact journey. Services that can be used together and extended are:

Natural Language IVR
Route Network IVR
IVR Pay Automated Payments
Self-Service Applications
Identification and Verification
CallGuard PCI-DSS agent payments
Cloud deployment model Private cloud
Service constraints Only browsers which are supported for security patches and updates by their manufacturers are supported under the PCI DSS standard and therefore only these will be supported by us.
System requirements
  • All calls need to be routed through the platform
  • Currently supported browsers: IE9 and above, Firefox, Chrome, Safari

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response times do not change that the weekends. Response times differ on the error severity for example: Serious (24/7 Support) - 1 hour Service Affecting - 4 Business Hours Minor - 48 Business Hours
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels We do not provide a tiered support structure . All support is 24x7x365 and provided as standard within the cost of the service. We provide a technical account manager within the cost of the service.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started When users start using our service we will provide telephony end points for the buyer to route phone calls to.

In addition to this we will ask the caller to complete a questionnaire to enable service setup. The whole process will be outlined in a 'getting started' document.

Users of the service will be provided with training material, and administrators can be trained online or on site.
Service documentation Yes
Documentation formats
  • ODF
  • PDF
End-of-contract data extraction We will provide the buyer with an extract of management information collected during the course of the contract.
End-of-contract process Configuration data for the service can be provided at this point.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices No
Service interface No
What users can and can't do using the API CallGuard as a service is available through a simple REST based API.

This allows developers to develop their own CallGuard web panels rather than use our provided template.

All CallGuard functions are available through the API.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The web pages around the core CallGuard payment capture can be customised to meet specific business requirements. This customisation would typically be for information required to take the payment, for displayed payment status to agents, and for branding.


Independence of resources We manage its platforms and infrastructure using a range of KPI and OPI measurements including average and peak utilization across all components. Trend analyses and sales pipeline are used to ensure that sufficient capacity is maintained for BAU operations and exceptions. Our infrastructure is deployed in a scale up and scale out design allowing for additional capacity to be added without redesign.


Service usage metrics Yes
Metrics types For CallGuard Eckoh provides:
Total calls (Both inbound and outbound which can be split out)
Total minutes
Ang. duration
Attempted payments
Successful payments
Failed payments
Confirmations (email, sms)
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data export is carried out by us. We will provide access to an sFTP server for users to access exported data.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks We can also support https for data transit over public internet where this is required.
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Our platform is built from highly resilient components and is spread across two geographically separate sites each providing resilient solutions for communications and power. As such the platform provides an availability figure of 99.9% availability per year.
Approach to resilience This information is available upon request.
Outage reporting If for any reason we experience an outage that affects the covered application it will be reported to the customer as soon as the agreed severity has been reached. The platform has built-in mechanisms for alerting both us and the client for any service affecting issue. Alerts can be issued via SNMP or email. Severe service affecting issues are managed by Eckoh's support team. An internal outage report is created and this will be passed on by your Account Manager to an agreed customer contact list via an email and or phone.

Identity and authentication

Identity and authentication
User authentication needed No
Access restrictions in management interfaces and support channels Where required we use secure login, certificates and IP whitelisting to ensure access is restricted. All access is logged and auditable.
Access restriction testing frequency At least once a year
Management access authentication Other
Description of management access authentication There isn't any management access to this service

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 The British Assessment Bureau
ISO/IEC 27001 accreditation date 03/05/2019
What the ISO/IEC 27001 doesn’t cover Nothing
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Verizon
PCI DSS accreditation date 15/09/2017
What the PCI DSS doesn’t cover Our entire operation and all services supplied are covered by our PCI DSS certification.
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards Eckoh are PCI DSS Level 1
Information security policies and processes Security of information is pivotal to the successful operation of our business. We will protect these information assets and will do this in ways that are appropriate and cost effective. This will enable us to fulfil our responsibilities and to ensure that a high quality service can continue to be delivered to our clients, their customers and our staff. By maintaining this philosophy and practice we will retain our reputation as the leading provider of hosted self-service solutions in the UK. Responsibilities for information security management are shared between the following: • Board of Directors •Group Strategy Board • UK and US Performance Management Group • Security Group • Patching and Vulnerability Group • UK and US Data Protection & Security Working Groups Membership of these groups will be maintained by the Data Protection Officer and a committee structure.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Our continued compliance with PCI requires the following: A procedure for maintaining platform hardware assets A procedure for maintaining corporate hardware (PC and laptop) asset information. A procedure for maintaining licensed software asset information. Our Change Management Process is integral to this process. The IT Director is responsible for maintaining the PCI asset register. This covers hardware and software that is in scope for PCI compliance, including in-house developed payment services, and merchant account codes. PCI asset information related to in-house payment services is captured on Request for Change forms.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We have a document that defines the standard procedure and timescale for managing security patches within the company. This includes definitions of: • the composition and role of our Patch and Vulnerability Group (PVG) • the role of senior management • the process of identifying identify newly discovered security vulnerabilities • a formal patch management life cycle process. This procedure applies to the management of security patches for our Windows and Linux platforms and to our network devices. Where applicable, the application of patches to our-hosted infrastructure is subject to agreed client change management and approval processes.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Monitoring computer systems and tracking user activity is a critical factor in protecting information security. Without effective monitoring, determining the source of security incidents would prove extremely difficult, and in such circumstances we would not be able to comply with other policies, industry standards or legal requirements. An incident is defined as an unplanned interruption to an IT or client service or reduction in quality of any service. The purpose of this policy is to define our principles and approach to incident management, resolution and longer term remedial action to minimise adverse impacts on business operations.
Incident management type Supplier-defined controls
Incident management approach We have a well defined policy that covers both network and information security incident management. Network incidents are those that reduce the quality or availability of IT services. Information security incidents are those which pose a threat to our information. Users can report incidents by email or phone. We follow a standard process for managing incidents from identification through impact assessment, reporting, fixing and testing to full resolution and RCA. RCA's are provided to clients via email within 5 working of incident closure.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.23 to £0.32 per transaction
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑