Bottomline Technologies Limited

Bottomline PT-X

Bottomline PT-X(R) is a cloud-based Payment service that securely manages Bacs, Faster Payments, Direct Debits, Cheques and Credit Cards, as well as all the accompanying documentation (Remittances, Print and Post etc.) in one secure environment. PT-X also provides Validation and Verification of Bank accounts to combat error and fraud.

Features

  • Bacs Payments
  • Faster Payments
  • Direct Debits
  • Bank Account Validation and Verification
  • Cheques
  • Security Pack
  • International Payments
  • Refunds and One Off Payments
  • Print & Post
  • International Payments

Benefits

  • Automate and Audit Bacs Payments
  • Automate and Audit Faster Payments
  • Manage Direct Debit collections
  • Verify Bank Account Details
  • Automate and Print Cheques locally and centrally
  • Encrypt your Data and Control Access to it
  • Make International Payments
  • Make Refunds and One-Off Payments
  • Print and Post relevant Financial Documents
  • Make International Payments

Pricing

£1000 to £100000 per instance per year

  • Free trial available

Service documents

G-Cloud 11

365864359637648

Bottomline Technologies Limited

Michael Johns

+44 (0) 870 081 8250

mjohns@bottomline.com

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to All ERP systems
All Payroll systems.
All CFRM systems
All Billing systems
Cloud deployment model Private cloud
Service constraints None
System requirements None

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We respond within 1 hour to a category 1 (Application unusable) error.
There are different response for less serious questions.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Web Chat is accessible through an automatics Pop-up on our Web site.
Web chat accessibility testing Our web site (including the chat tool) is built to meet WCAG 2.0 AA compliance
Onsite support Yes, at extra cost
Support levels Support questions are split into 3 levels.
The top priority is Application Unusable followed by Application Usable but with some constraints and finally Application suggestions.
Each level is set by the customer. There are different response times for each level.

Support is included in the usage fees. Support for UK Bacs users follows Bacs hours: currently 7am to 10pm Mon-Fri.
Out of Hours Support (Weekends and Bank Holidays) is available for a fee.

All Support is based in the United Kingdom

Support is included in the usage fees.
Other Technical Support is available for a fee.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The first conversation introduces the steps Bottomline uses to ensure our Customers can use the Application quickly and safely.

They differ from module to module, but typically include:
Installation of linking module
Set-up of Approval matrix (done by Customer or Bottomline)
Customer Self Training through Online Videos
End-to-End testing

Then the Customer can go live.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction The data can be downloaded from the Application at the expiry of the Contract.
End-of-contract process At the end of the contract, the Customer may choose to download their data. When this has been done, Customer access to the service is rescinded.

There is no extra cost at the end of the contract.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The Desktop controls the links/file uploads from the Customer's Host system to the PT-X Application.
Mobiles are used for Approvals.
API Yes
What users can and can't do using the API All Payments and Collections functionality is available through the API.

The initial set-up is achieved online, not through the API.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Customisation is available for some modules as appropriate to that module. Examples include Customer/Agent Web Form white labelling.

Customisation is done by Bottomline.

Scaling

Scaling
Independence of resources Bottomline's Private Cloud has enormous capacity, currently supporting over 6000 Government and Corporate customers of all sizes.
PT-X has sophisticated service protection, including thwarting Denial Of Service attacks, Error strewn files from other customers etc.

Further Technical Detail is available.

Analytics

Analytics
Service usage metrics Yes
Metrics types On a monthly basis, the Customer is informed of their Usage during the previous month across the modules they are using.
Reporting types Regular reports

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach Data is encrypted in an Oracle database. Otherwise
Bottomline's Security standards, policies and subsequent controls are developed based on many industry standards such as ISO/IEC 27001-2013, COBIT, NIST SP800-53 R3, etc. to meet and/or exceed the regulatory requirements of a technology service provider.
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach There are facilities to download customer data within the Application.
these are available On Demand
Data export formats
  • CSV
  • ODF
Data import formats Other
Other data import formats Flat files

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Private network or public sector network
Data protection within supplier network Other
Other protection within supplier network Data at rest and in transit is fully encrypted.

Availability and resilience

Availability and resilience
Guaranteed availability The Service Level Agreement is attached to all GCloud11 Orders and covers the Availability levels of the Service.
It also covers the Support levels for Questions and Incidents.
Approach to resilience Bottomline has very sophisticated live Fail over resilience.
The two Data Centres are completely independent utilising the latest and strongest resilience capability available.

Both Data Centres are located in the United Kingdom and are owned and operated by different companies.

Full details are available on request.
Outage reporting Outages are reported on a separate public dashboard so that any issues (Bacs service down, Faster Payments Network unavailable etc) can be flagged to the Customer community. The Dashboard is updated at least every 30 minutes until the incident is over.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels Stringent access controls are utilized for granting access to environments, applications, and to data. Access is provided by role of least privilege, need to know principles while observing separation of duties. Management and the Change Advisory Board (CAB) must approve all access.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 29/10/2016
What the ISO/IEC 27001 doesn’t cover Bottomline services outside of (BTS) PT-X
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Bottomline's Security standards, policies and subsequent controls are developed based on many industry standards such as ISO/IEC 27001-2013, COBIT, NIST SP800-53 R3, etc. to meet and/or exceed the regulatory requirements of a technology service provider.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All changes are managed under Bottomline’s ITIL based Change Management process. Changes are first tested by technical staff within development environments, then deployed into UAT/Test environments for customer and operational testing before finally being deployed into production (and/or DR) environments.

Changes require approval from the Change Advisory Board, which includes the Security Team, prior to being promoted to production.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Bottomline participates in the Governance Cyber Security Alerting System in both the US and the UK, allowing us to act more quickly in the event of an impending threat.

Bottomline also receives threat intelligence from multiple cyber security threat intelligence sources, which are monitored by the Security Operations Team. Email notifications, RSS Feeds, and social media intelligence sources are analyzed daily for cyber threats relevant to Bottomline.

The severity of threats is determined using the Bottomline Security Incident Management Process and the remediation of findings is carried out in accordance with the risk assigned to the threat/vulnerability.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Bottomline utilizes a defense in depth methodology for protection which includes, but is not limited to, the following: DDoS protection / mitigation technologies, web application firewall, firewalls, forward and reverse proxies, IDS / IPS, HIDS, and SIEM.

The severity of threats is determined using the Bottomline Security Incident Management Process and the remediation of findings is carried out in accordance with the risk assigned to the threat/vulnerability.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Employees report incidents to Bottomline's Security Incident Response Team (SIRT).

In the event of a breach the SIRT invokes the Incident Response Plan (IRP) which includes, but is not limited to, the following:
• Collect and protect the information associated with the incident.
• Apply short-term solutions to contain the incident.
• Eliminate all means of intruder access.
• Return systems to normal operations.
• Post-incident analysis and modification of the procedures as appropriate to identify and implement security lessons learned.

The customer is kept informed through the incident lifecycle and is notified when the incident has been resolved.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £1000 to £100000 per instance per year
Discount for educational organisations No
Free trial available Yes
Description of free trial Bottomline offers a trial period for potential customers.

The trial service is as full functional as possible - although due to the nature of the Bacs and Faster Payment Services, transactions cannot be completed.

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑