Post Office Limited

Exception Payments Solution

Post Office's solution provides an exception payments service to customers unable to access mainstream financial products. Dependant on customer's needs, the service offers prepaid card account and voucher disbursement with full customer service support for accounts. The service supports both digitally enabled and excluded customers through 11,600 branch locations nationwide.


  • Prepaid Card Account with physical card supported by digital app
  • Non-account Voucher (digital or offline) service
  • Cash access at 11,600 locations in urban and rural areas
  • Highly trained, experienced and caring staff
  • Customer servicing via UK contact centre
  • Real-time client mangement web portal
  • Bespoke MI reporting
  • FCA regulated and authorised service
  • Real-time transaction monitoring system to identify suspicious activity
  • Innovative product functionality tailored to client's needs


  • Securely held customer funds
  • Fast access to critical funds through a national cash network
  • Direct cash supply to locations within 3 miles 99.7% population.
  • Over 15 years experience serving vulnerable customers
  • Minimal client integration that simplifies the implementation process
  • Responsive emergency funds disbursement
  • 24/7 fraud monitoring and resistance team
  • MI services tailored to the client's needs
  • Regulated product ensures service compliance and client assurance
  • Services compatibility with existing banking infrastructures


£2 to £20 per unit per month

Service documents

G-Cloud 11


Post Office Limited

Chris Hoyle

07500 702144

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No.
System requirements No specific system requirements to access the on-line services

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Average response time is ~1-2 hours via email. Wait times on the phone are 5 minutes.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), 7 days a week
Web chat support No
Onsite support Onsite support
Support levels As part of our onboarding process, each client is assigned a dedicated Account Manager. The Account Manager is the client’s primary point of contact for all queries relating to the payments service.
The Account Manager will support their client through the onboarding process, e.g. the MI portal customisation; provide ongoing technical and service support throughout the life-cycle of the contract; provide regular management reviews on the performance of the service including detailed analysis of any operational improvements.
The Account Manager will also deliver regular internal management updates to ensure that all projects meet pre-agreed service deliverables.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Each client is assigned a dedicated Account Manager and Project Lead who work with them to establish a project delivery plan.
Client's will receive on-site training, documentation on the service, FAQ and the support that they can expect from their Account Manager.
The service is also supported by a centralised customer service team that is equipped to handle enquiries from the client and their customers. We are able to provide support for customers through email, phone or social media. We will have regular on-suite meetings with each client - as often as fortnightly - to ensure we are delivering against the project plan.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction At the end of a contract, the client can submit a request for customer data for a specific period of time, to be agreed. Upon receipt of the request, Post Office would run a query to obtain all data relating to the customers of the specified client. This data would in turn be sent to the client's destination of choice via a secure method of data transfer.
To fulfil its legal obligations under the Money Laundering Regulations POL and its subcontractor would still be required to retain copies of the data for the statutory period of time after which point the data would be deleted.
End-of-contract process There are several potential options, including:-
1. We would work with the client to migrate existing customers on to their replacement service by the contract end, or
2. Notify customers that their accounts will close and obtain their permission to transfer the existing funds to their chosen banking service, or
3. Explore options to provide an alternative service to customers for those customers that will not be migrated on to the client's replacement solution.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
  • Other
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Desktop is provided via web app, while mobile works with native apps and web. However, in all other functional aspects they are the same.
Accessibility standards None or don’t know
Description of accessibility Customers can access the service via a dedicated web portal or through a mobile app, and they are supported by a contact centre service helpdesk. Additionally, customers have offline access to cash and assistance services in-branch at over 11,600 Post Office locations.
Accessibility testing Not applicable.
Customisation available Yes
Description of customisation The service can be tailored to the specific needs of our client's. Each client can choose the functionality and features available to service their customers. Additionally, client's can customise the MI tool to generate specific service usage metrics on key data points.


Independence of resources The service is run on public cloud, with capacity far exceeding our scale. We use auto-scaling for services so that as user demand increases, the capacity increases in response. We also have a service team that monitors the platform health and addresses any bottlenecks.


Service usage metrics Yes
Metrics types We are able to provide insight into transactional data such as payments made, type of payments, uncollected funds etc. In order to optimise operational efficiency, we focus on average response time, average resolution time and first touch resolution rate (% of queries that are resolved on first contact without back and forth).
Reporting types Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach Data is stored with a trusted public cloud vendor. It is protected by access controls including multifactor authentication. It is further protected with transparent encryption of data at rest, as well as logical separation of customer data.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach The security of data is of paramount importance to us, therefore we utilise secure SFTP methods to transfer data between parties.

Periodic external audits involving penetration testing are conducted to ensure that methods of transfer remain secure, with any findings relating to potential vulnerabilities handled by our security and risk committee to ensure any remediation actions are resolved within an appropriate timescale.

If a client requires data exporting, they are therefore required to submit a change request, and the required data will be sent in a secure format to the client's destination of choice.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We guarantee a 99% uptime and typically achieve in excess of 99.5% uptime.
Approach to resilience Service is hosted on public cloud and is designed to be auto-scaling. The service transparently handles most failure scenarios automatically. And, back office systems are designed to recover and resume processing after any outage.
Outage reporting We provide email notifications for any incident and updates via the online status page for clients.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels Username and password, secret answer, finger print, phone number verification.
Access restriction testing frequency Less than once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 26/03/2018
What the ISO/IEC 27001 doesn’t cover ISO 27001:2013 is specifically for Information Security Management Systems, this does not cover the core technology involved in certificate issuance e.g. smartcards, PKI technology. This is covered by our ETSI certification
ISO 28000:2007 certification Yes
Who accredited the ISO 28000:2007 See our comments below
ISO 28000:2007 accreditation date Various
What the ISO 28000:2007 doesn’t cover Post Office has several levels of certification that cover our supply chain:
ISO9001-2015 – for Cash Centres, Bureau Centre and the Swindon Stock centre and it forms a chunk of the ACS.
Approved Contractor scheme (ACS) covers their Cash and Valuables in Transit (CViT) external services – this enables Licence management which is used to obtain SIA licences. A legal requirement where external services are performed.
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • TScheme accreditation for GOV.UK and eIDAS compliance
  • ETSI EN 319 411-1 and ETSI EN 319 411-2

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Post Office Information Security Management System (ISMS) is based on ISO27001 compliance with a formal governance structure based on Information Security policy, standards and guidelines. For certain government contracts, Post Office is certified to ISO27001. Service providers to Post Office are ISO27001 certified or required to be within 1-year of contract signing

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All configuration and software changes are reviewed and signed off prior to release. Change deployment is automated and there are automated checks & tests prior to and post-rollout. We have dedicated QA staff.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Our production infrastructure runs on managed cloud hosting. Cloud vendor continuously and immediately patches known vulnerabilities.

Any identified security vulnerabilities in the system would be remediated as highest priority by the engineering team.

We takes steps to identify vulnerabilities including Periodic external penetration testing, expert staff who routinely audit production systems, and peer review systems and changes.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Automated monitoring systems alert engineers to abnormal activity and attacks. Engineering staff check production health and look for anomalies for investigation every day.
We takes steps to identify vulnerabilities including Periodic external penetration testing, expert staff who routinely audit production systems, and peer review systems and changes.
Engineering staff respond to identified production incidents within an hour 24/7.
Incident management type Supplier-defined controls
Incident management approach We have a documented incident response procedure which is followed for operational incidents. For information security breach incidents there is a dedicated internal email address where any employee can escalate an InfoSec incident and the relevant owner will enact the incident response procedure.
Buyers can report incidents to their support contact. This would trigger the incident response procedure outlined previously. We would also provide our client's with a detailed incident report within a week of an incident occurring.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £2 to £20 per unit per month
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑