PayPoint

Direct Debit service

The Direct Debit Service from PayPoint is a feature rich platform for managing all Direct Debit capabilities, including mandate set up through 8 different channels. Rich reporting gives you insight into customer behaviour, and full customer communications are included.

Features

  • Feature rich platform which is flexible to fit your needs
  • Call centre portal to view and manage direct debits
  • Unlimited user access to portal, can be accessed 24/7
  • Make credits back to customer accounts
  • Access to BACS files, immediate processing against payer records
  • Ability to generate branded customer communications via letter or email
  • Extended Reporting
  • Sophisticated integration tool allows seamless processing through existing systems
  • 8 Different Channels for setting up Direct Debit Mandates
  • Software As A Service

Benefits

  • Efficiency savings, seamlessly fits into your business
  • Cost savings with automation, electronic customer communications and direct refunds
  • Reduced arrears with re-attempts of previously failed payments
  • Enhanced cashflow management
  • Full Bacs compliance
  • Cloud based solution so nothing managed on your IT platforms
  • Easy to use screens make training easy
  • Advanced reporting gives greater customer behaviour insight
  • Rapid Set Up Process for easy administration
  • Support from a Market Leading Finance Business

Pricing

£0.05 to £0.25 per transaction

  • Education pricing available

Service documents

Framework

G-Cloud 11

Service ID

3 9 3 5 9 5 3 9 0 9 7 9 1 4 8

Contact

PayPoint

Ian Ranger

01707 600388

ianranger@paypoint.com

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
The PayPoint service is available 24/7 and we operate a full disaster recovery facility to provide complete service resilience. In the event we do carry out system maintenance, we provide our clients with notice and schedule overnight to ensure minimal disruption.
System requirements
  • Our service is available via Internet Explorer 9+
  • Compatible with latest version of Chrome
  • Compatible with latest version of Firefox
  • Compatible with latest version of Opera
  • Compatible with Safari

User support

Email or online ticketing support
Email or online ticketing
Support response times
Depending on the severity of the question. Responses can be handled immediately. At weekends, only severity 1 questions will be handled immediately.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
The PayPoint Client Management team are available 9 to 5:30 Monday to Friday. Outside of core hours, we maintain an operational contact centre that is available 24/7 to deal with any urgent issues.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
PayPoint's Client Implementation team will work with you to develop, test and implement the services. We will provide you with specifications and user documents and we will help you to complete a questionnaire which details your requirements. Once developed, we provide full end to end testing and implement upon your acceptance. When the service is live you will be introduced to the Client Services team who will manage any day to day issues or questions you may have.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
Transaction data is provided daily up to the day the contract ends. Any client data will be returned at the end of the contract.
End-of-contract process
In the event the buyer transfers to another supplier, PayPoint will help to ensure a smooth transition. There would be no additional costs.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Firefox
  • Chrome
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The mobile user journey for setting up direct debit mandates can be either through mobile enabled sites or directly through APIs from your own apps.
Service interface
Yes
Description of service interface
The interface is an easy to use interface that allows user to set up and maintain customers and direct debit mandates.
There is required BACS reporting, and additional insight reporting available through the platform.
The interface makes it easy for any organisation to manage their Direct Debits.
Accessibility standards
None or don’t know
Description of accessibility
Users can:

Set up new direct debit mandates
Manage existing direct debit mandates
Search for customer Direct Debits
Create new schedules
Review BACS reports
Run tailored insight reports.
Audit Transactions
Accessibility testing
This has not been tested but our excellent coding standards mean that the interface should be compatible with screen readers.
API
Yes
What users can and can't do using the API
PayPoint have made available direct APIs in order to facilitate the payment, and removing the need for clients to be PCI compliant if required.

All PayPoint channels are built on a common set of RESTful APIs. These APIs are now being offered to clients to allow them to build their own channel apps or integrate into existing ones.

PayPoint offers a full user journey scoping service, advising on the best APIs to use to achieve maximum user satisfaction.
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
PayPoint can provide buyers with a range of customisation within Direct Debit

Our Hosted Mandate Page can be fully branded and be compliant with BACS.

Bank Modulus checks and Postcode checks are included

APIs allow full customer user journey control.

Our Client Implementation team will work with you during the set up process to customise the service to your requirements.

Scaling

Independence of resources
PayPoint operates a 24/7 real time on-line system, supported by dual data centres to ensure full service availability at all times. Across all payment channels, PayPoint has an enviable track record of near total up-time, meeting industry best standards and this extends to resilience in the event of major service problems. During peak periods, PayPoint processes over 10 million transactions a week.

Analytics

Service usage metrics
Yes
Metrics types
As well as providing a daily batch transaction file (csv format), PayPoint provide an online dashboard so buyers can see Direct Debit Transactions.
In addition to all Mandatory BACS reporting, reporting is available on customer behaviour and insights.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Other
Other data at rest protection approach
Data is held in a private subnet which is only accessible via a VPN; bank data is encrypted and not visible in plain text.
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
PayPoint provide clients with daily transaction files which contain details of all transactions processed the previous day.

All Reports are also available to download via the Direct Debit Client Portal
Data export formats
  • CSV
  • Other
Other data export formats
Excel
Data import formats
  • CSV
  • Other
Other data import formats
Excel

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
SLA = 99.99% availability
Users are refunded via bet invoicing methods.
Approach to resilience
Regular monitoring. The service is based in Dublin Ireland and is mirrored in three data centres which are on separate power and telecoms networks. If one becomes unavailable, it switches to one of the other two to maintain availability. We also hold a separate copy of the data in London and this can be deployed and running in one hour.
Outage reporting
Email and system notifications to authorised Users. Any outages are reviewed at a management meeting monthly.

Identity and authentication

User authentication needed
Yes
User authentication
Username or password
Access restrictions in management interfaces and support channels
Any access to our interfaces requires the end user to enter their Username and Password.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users receive audit information on a regular basis
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users receive audit information on a regular basis
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
ISO 27001:2013 SOCOTEC - Certification International
ISO/IEC 27001 accreditation date
12/07/2018
What the ISO/IEC 27001 doesn’t cover
Nothing - All systems, premises, software applications, business processes and operations are covered.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
Securious Ltd (Cardstream)
PCI DSS accreditation date
31/08/2018
What the PCI DSS doesn’t cover
N/A
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
PayPoint has a documented Group Information Security Policy and Security Policy Framework both compliant with ISO27001:2013. These are supported by a suite of other policies and procedures published for staff on our Intranet. Examples include anti-virus protection, vulnerability management, internet and e-mail use, staff training, risk management and incident reporting.

We ensure compliance to these policies by implementing our own internal audit system, employing third party auditors to target specific areas of governance and we are subject to registration visits twice per year for ISO27001:2013, once per year for PCI DSS and a number of audits for LINK compliance. All staff including contractors are expected to complete an information security induction when they begin at PayPoint and all staff are given refresher training once per year. In 2018 all staff have also been expected to complete both GDPR and DPA training on our new learning management system. The company has established a Cyber Security Sub-Committee and the board actively participate in both strategic risk reviews and incident exercises.

PayPoint has a Risk and Compliance team comprising of a Head of Risk and Compliance, a Risk and Compliance Manager, a Fraud and Police Investigations Officer and a Technical Security Analyst.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
PayPoint has a documented change management procedure. Development and production environments and staff are segregated. There is a weekly change review board that must approve any change before it is deployed to production. There is a facility for emergency changes to be released but this requires senior IT Management approval. PayPoint has dedicated project managers, a dedicated configuration manager and a documents software development process. In production, change managers have oversight of product deployments. Every weekday there is a meeting on the operations bridge to review all technical incidents changes and business in hand.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
PWe employ a third party NCC (formerly CESG) CHECK vendor to independently test our security/vulnerability. This comprises daily delta testing, quarterly vulnerability testing and annual penetration testing. Reports are received as soon as available and work to correct issues found is prioritised based on risk.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
There is a daily bridge review of all risks and incidents which is internally escalated and reviewed.

We also employ a third party NCC (formerly CESG) CHECK vendor to independently test our security/vulnerability. This comprises daily delta testing, quarterly vulnerability testing and annual penetration testing. Reports are received as soon as available and work to correct issues found is prioritised based on risk.
Incident management type
Supplier-defined controls
Incident management approach
PayPoint is registered for ISO27001 and is PCI compliant. In the event of an incident, we will notify our clients via e-mail. If Users identify an incident, they should contact their Account Manager or the Operations bridge if outside core hours. PayPoint provide incident reports via e-mail where appropriate.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
No

Pricing

Price
£0.05 to £0.25 per transaction
Discount for educational organisations
Yes
Free trial available
No

Service documents

Return to top ↑