allpay Limited

Prepaid Cards

allpay provides a Mastercard-branded prepaid card for one-off disbursements of funds or for on-going reloadable payment schemes. Cards can be enabled for chip and pin payments, e-commerce transactions and regular payments e.g. direct debits and standing orders.


  • Cloud-based web Portals for Organisation and Cardholder
  • Cards issued on Mastercard® Scheme
  • Point of Sale, E-Commerce and ATM Functionality
  • Sortcode and Account Number and access to BACS/FP
  • Online and Telephone Banking Solution for the Cardholder
  • Ability to set-up Direct Debits and Standing Orders
  • Flexibility to block Merchant Category Codes (MCC)
  • Self-service Reporting Suite
  • Real-time loading of Cards, individually and in bulk


  • Real-time visibility of spend to enable monitoring
  • Real-time Load and Redemptions
  • Both Self-service and Exception Reporting
  • 24/7 Automated Phone Line and Online Portal for balances
  • In-house Call Centre for Customer queries
  • Multiple activation/PIN retrieval solutions
  • No Credit facility for the Cardholder
  • Load/Recoup funds and block Cards instantly
  • Secondary Cards for Carers/Guardians supporting Service Users
  • Ability to absorb Transaction Fees or assign to Cardholder


£2.89 a unit

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

3 8 2 8 0 6 1 4 7 3 9 1 8 9 7


allpay Limited Ailsa Tuck
Telephone: 01432852404

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
System outage for the online systems due to maintenance will not exceed 12 hours annually and will not exceed 8 hours for any single outage. Maintenance will only occur during scheduled off-peak hours: 23:00 – 05:00. Clients will be made aware of any planned work prior to commencement.
System requirements
  • The solution is compatible with IE9 and above
  • The solution is compatible with Chrome 24 and above
  • The solution is compatible with Safari 9, Firefox 18
  • The solution is compatible with Opera 15 and above
  • The solution is browser based with only internet access required

User support

Email or online ticketing support
Email or online ticketing
Support response times
Customer Service Contact Centre (CSCC) team is available between 08:00 and 18:00 Monday to Friday for both client and payer queries.
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Onsite support
Support levels
Outside the Customer Service Contact Centre hours 08:00-18:00 Monday to Friday, allpay ensures an engineer is on-call 24/7 for incidents. allpay provides a dedicated account manager for day to day queries including performance management, contract queries and any technical issues encountered.
Support available to third parties

Onboarding and offboarding

Getting started
Allpay will appoint a dedicated implementation contact to oversee the full implementation process – with weekly calls scheduled between them, the organisation's dedicated account manager and stakeholders at the Organisation.

allpay will liaise with the organisation to capture all of the organisation's scheme requirements e.g. Merchant Category Code blocking, spend limits etc.

allpay will provide onsite training for clients, upon a date agreed between both parties. We provide a mix of practical exercises to build familiarisation with the prepaid card service, platform and procedures. This includes instructional videos for both clients' staff and service users, user guides and handbooks for client users and quick-start reference sheets.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Allpay will work with clients to ensure a smooth exit once the contact ends. Any client data will be returned in the format requested either via SFTP or securely via allpay's management portals.
End-of-contract process
Allpay's contract price covers the setting up of the service as agreed. If the contract has run its intended or extended term or for any other agreed reason we would return client data (as detailed in the previous question). We would offer (subject to the exact requirement) any assistance we can to allow a smooth exit and transfer to any new supplier.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
For those service users who do not have access to a computer, allpay’s Cardholder Portal is mobile optimised allowing service users who are on a mobile phone or tablet to easily access and carry out Portal functions from their device.
Service interface
What users can and can't do using the API
APIs are available to cover all of allpay’s prepaid service functionality. allpay can provide technical documentation to support the integration.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Allpay's Prepaid Service is web-based and can be branded with the organisation's logo to promote familiarity with users logging into their online banking service.


Independence of resources
To ensure the platform can manage a high concurrent transaction and user level, the platform is monitored and, due to the architectures modular approach, can be scaled to accommodate the business needs. The platform is monitored to keep AIX processing usage below 5% on physical AIX hosts. When resource consumption of any physical host approaches 40%, additional hardware is acquired and assigned to the pool. Additionally, restrictions are in place on system resources to ensure each entity cannot monopolise server resources.


Service usage metrics
Metrics types
The solution has a reporting suite, which is accessed within the web-based Organisation Portal. It provides clients with access to 14 different reports which can be run in real time, configurable by date and programme.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Reports can be exported in CSV, Excel or PDF from within the Organisation Portal. Reports show real-time transaction data covering user management, successful and unsuccessful transactions, available balances and the status of individual cards.

Transfer of data between organisations and allpay uses 256-bit Advanced Encryption Standard (AES) over Transport Layer Security (TLS) 1.2, creating a secure link between the organisation’s internet browsers and allpay’s web servers, ensuring all data transmitted between the two remains secure.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • Excel
Data import formats
  • CSV
  • Other
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Allpay conforms to a 99% availability of the platform, which is available 24/7/365. allpay would liaise with the organisation over mutually agreed Key Performance Indicators to ensure measures were in place should performance fall below the agreed SLAs and KPIs.
Approach to resilience
Allpay has a fully documented, audited and regularly tested Business Continuity and Disaster Recovery plans, in place for this service; the exact details are available on request.

To ensure continuity of service in the event of a disaster and/or service-affecting incident, allpay has a comprehensive Business Continuity Plan, which is regularly tested without prior notice. The Business Continuity Plan details arrangements in the event of service affecting incidents including, but not limited to damage to or unavailability of premises and/or equipment, IT failures, anti-virus management and protection, malware attacks, pandemics, staffing levels and natural disasters. allpay’s processor, Carta Worldwide (CWW), has a similar Business Continuity plan.

allpay’s plan, based on ISO22301, clearly identifies Business Continuity procedures during the response to, and recovery from, a disruptive event. Responses to minor incidents or events may utilise elements of this plan.

The plan applies to all personnel who operate and manage critical business units, departments and services. All stakeholders would be kept fully informed at all times during any system failure so that contingency plans can be considered before any degradation of service.
Outage reporting
Organisations will be notified in advance of any scheduled maintenance. Scheduled maintenance is communicated out to the organisation's nominated super users, who are sent the scheduled maintenance period by email. Additionally, allpay has a public-facing service status page detailing the availability of all its services at all times.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Access to the Organisation Portal, accessed by the Organisation, is protected by an authentication process. Organisation users will be provided with the Portal’s URL, a username and a temporary password via email. They will then be required to re-set the password on first access. This removes the chance of any unauthorised personnel accessing the portal for fraudulent activity. From within the Organisation Portal, the organisation will be able to configure roles and permissions. Each role has permissions to access specific functions in the Portal and, within that, actions to view, add, modify, delete or all.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Alcumus ISOQAR
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
The certification covers all aspects of IT and security.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Who accredited the PCI DSS certification
Sysnet Global Solutions
PCI DSS accreditation date
What the PCI DSS doesn’t cover
Allpay is directly PCI-DSS compliant and is a Level 1-certified Payment Services provider and Payment Facilitator.
Other security certifications
Any other security certifications
  • MasterCard and Visa accreditation
  • DPA Registration
  • Cyber Essentials Plus
  • Authorised as Electronic Money Institution (Financial Conduct Authority)
  • BACS-Approved Bureau
  • ISO 27001
  • ISO 9001

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
Allpay has a fully documented and audited Security Information Policy and ISO 27001 accreditation. allpay's Head of Compliance has overall responsibility for ensuring that the policy is followed - he reports to allpay's board of directors on any related matters. A copy of the policy can be provided on request.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Allpay uses a Software Development Life Cycle (SDLC) for Software Development – a series of steps that provides a model for the development and lifecycle management of an application/software. Further to this, allpay has technical implementation plans and a change control board to verify changes prior to release into production. allpay uses an Agile development methodology and conforms to OWASP (Open Web Application Security Project). Developers also have training in secure coding techniques. allpay internally code reviews all major applications and revisions against such criteria as the OWASP top 10. Practices also comply with ISO 27001 and Cyber Essentials Plus.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Allpay performs monthly internal and external vulnerability scans as required by PCI. Internal auditors review systems as required and in conjunction with the allpay audit plan devised to maintain compliance with ISO 27001 & PCI standards. IT Operations have implemented various tools to monitor the health of the network, e.g. Ops Manager, Apps Manager, Tripwire, SIEM, IPS/IDS, Sophos Suite etc. Checks are made for patches and updates daily, once alerted to a new patch, IT Support will download and review the new patch within four hours of its knowledge of release.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Vulnerability scans are run against the network infrastructure for devices on a scheduled periodic basis and reports are generated on the vulnerabilities identified across the assets in each network zone. In response to any identified compromise, allpay has a fully documented and audited Information Security Response Plan that covers all reports of information security weaknesses or events relating to any of the organisation’s information assets. This is available on request. allpay has in place SLAs for incident response management, detailing fix times, response times and interval updates for critical and high impact incidents. These are available on request.
Incident management type
Supplier-defined controls
Incident management approach
Allpay has pre-defined processes in place for incident management. This is inline with ISO 27001. allpay’s Information Security Policy Handbook provides a framework for the management of information security to minimise risk (this is available on request). The high-level procedure for responding to any security incident is as follows: • Advise Head of Compliance • Commence investigations • Submit Security Incident form • Identify and implement resolution • Produce report • Update documentation • Advise management. Incident reports are available to clients through allpay's Customer Service Contact Centre

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£2.89 a unit
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.