Direct Debit service

The Direct Debit Service from PayPoint is a feature rich platform for managing all Direct Debit capabilities, including mandate set up through 8 different channels. Rich reporting gives you insight into customer behaviour, and full customer communications are included.


  • Feature rich platform which is flexible to fit your needs
  • Call centre portal to view and manage direct debits
  • Unlimited user access to portal, can be accessed 24/7
  • Make credits back to customer accounts
  • Access to BACS files, immediate processing against payer records
  • Ability to generate branded customer communications via letter or email
  • Extended Reporting
  • Sophisticated integration tool allows seamless processing through existing systems
  • 8 Different Channels for setting up Direct Debit Mandates
  • Software As A Service


  • Efficiency savings, seamlessly fits into your business
  • Cost savings with automation, electronic customer communications and direct refunds
  • Reduced arrears with re-attempts of previously failed payments
  • Enhanced cashflow management
  • Full Bacs compliance
  • Cloud based solution so nothing managed on your IT platforms
  • Easy to use screens make training easy
  • Advanced reporting gives greater customer behaviour insight
  • Rapid Set Up Process for easy administration
  • Support from a Market Leading Finance Business


£0.05 to £0.25 per transaction

  • Education pricing available

Service documents

G-Cloud 11



Ian Ranger

01707 600388

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints The PayPoint service is available 24/7 and we operate a full disaster recovery facility to provide complete service resilience. In the event we do carry out system maintenance, we provide our clients with notice and schedule overnight to ensure minimal disruption.
System requirements
  • Our service is available via Internet Explorer 9+
  • Compatible with latest version of Chrome
  • Compatible with latest version of Firefox
  • Compatible with latest version of Opera
  • Compatible with Safari

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Depending on the severity of the question. Responses can be handled immediately. At weekends, only severity 1 questions will be handled immediately.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels The PayPoint Client Management team are available 9 to 5:30 Monday to Friday. Outside of core hours, we maintain an operational contact centre that is available 24/7 to deal with any urgent issues.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started PayPoint's Client Implementation team will work with you to develop, test and implement the services. We will provide you with specifications and user documents and we will help you to complete a questionnaire which details your requirements. Once developed, we provide full end to end testing and implement upon your acceptance. When the service is live you will be introduced to the Client Services team who will manage any day to day issues or questions you may have.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Transaction data is provided daily up to the day the contract ends. Any client data will be returned at the end of the contract.
End-of-contract process In the event the buyer transfers to another supplier, PayPoint will help to ensure a smooth transition. There would be no additional costs.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The mobile user journey for setting up direct debit mandates can be either through mobile enabled sites or directly through APIs from your own apps.
Service interface Yes
Description of service interface The interface is an easy to use interface that allows user to set up and maintain customers and direct debit mandates.
There is required BACS reporting, and additional insight reporting available through the platform.
The interface makes it easy for any organisation to manage their Direct Debits.
Accessibility standards None or don’t know
Description of accessibility Users can:

Set up new direct debit mandates
Manage existing direct debit mandates
Search for customer Direct Debits
Create new schedules
Review BACS reports
Run tailored insight reports.
Audit Transactions
Accessibility testing This has not been tested but our excellent coding standards mean that the interface should be compatible with screen readers.
What users can and can't do using the API PayPoint have made available direct APIs in order to facilitate the payment, and removing the need for clients to be PCI compliant if required.

All PayPoint channels are built on a common set of RESTful APIs. These APIs are now being offered to clients to allow them to build their own channel apps or integrate into existing ones.

PayPoint offers a full user journey scoping service, advising on the best APIs to use to achieve maximum user satisfaction.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation PayPoint can provide buyers with a range of customisation within Direct Debit

Our Hosted Mandate Page can be fully branded and be compliant with BACS.

Bank Modulus checks and Postcode checks are included

APIs allow full customer user journey control.

Our Client Implementation team will work with you during the set up process to customise the service to your requirements.


Independence of resources PayPoint operates a 24/7 real time on-line system, supported by dual data centres to ensure full service availability at all times. Across all payment channels, PayPoint has an enviable track record of near total up-time, meeting industry best standards and this extends to resilience in the event of major service problems. During peak periods, PayPoint processes over 10 million transactions a week.


Service usage metrics Yes
Metrics types As well as providing a daily batch transaction file (csv format), PayPoint provide an online dashboard so buyers can see Direct Debit Transactions.
In addition to all Mandatory BACS reporting, reporting is available on customer behaviour and insights.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Other
Other data at rest protection approach Data is held in a private subnet which is only accessible via a VPN; bank data is encrypted and not visible in plain text.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach PayPoint provide clients with daily transaction files which contain details of all transactions processed the previous day.

All Reports are also available to download via the Direct Debit Client Portal
Data export formats
  • CSV
  • Other
Other data export formats Excel
Data import formats
  • CSV
  • Other
Other data import formats Excel

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability SLA = 99.99% availability
Users are refunded via bet invoicing methods.
Approach to resilience Regular monitoring. The service is based in Dublin Ireland and is mirrored in three data centres which are on separate power and telecoms networks. If one becomes unavailable, it switches to one of the other two to maintain availability. We also hold a separate copy of the data in London and this can be deployed and running in one hour.
Outage reporting Email and system notifications to authorised Users. Any outages are reviewed at a management meeting monthly.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Any access to our interfaces requires the end user to enter their Username and Password.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 ISO 27001:2013 SOCOTEC - Certification International
ISO/IEC 27001 accreditation date 12/07/2018
What the ISO/IEC 27001 doesn’t cover Nothing - All systems, premises, software applications, business processes and operations are covered.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Securious Ltd (Cardstream)
PCI DSS accreditation date 31/08/2018
What the PCI DSS doesn’t cover N/A
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes PayPoint has a documented Group Information Security Policy and Security Policy Framework both compliant with ISO27001:2013. These are supported by a suite of other policies and procedures published for staff on our Intranet. Examples include anti-virus protection, vulnerability management, internet and e-mail use, staff training, risk management and incident reporting.

We ensure compliance to these policies by implementing our own internal audit system, employing third party auditors to target specific areas of governance and we are subject to registration visits twice per year for ISO27001:2013, once per year for PCI DSS and a number of audits for LINK compliance. All staff including contractors are expected to complete an information security induction when they begin at PayPoint and all staff are given refresher training once per year. In 2018 all staff have also been expected to complete both GDPR and DPA training on our new learning management system. The company has established a Cyber Security Sub-Committee and the board actively participate in both strategic risk reviews and incident exercises.

PayPoint has a Risk and Compliance team comprising of a Head of Risk and Compliance, a Risk and Compliance Manager, a Fraud and Police Investigations Officer and a Technical Security Analyst.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach PayPoint has a documented change management procedure. Development and production environments and staff are segregated. There is a weekly change review board that must approve any change before it is deployed to production. There is a facility for emergency changes to be released but this requires senior IT Management approval. PayPoint has dedicated project managers, a dedicated configuration manager and a documents software development process. In production, change managers have oversight of product deployments. Every weekday there is a meeting on the operations bridge to review all technical incidents changes and business in hand.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach PWe employ a third party NCC (formerly CESG) CHECK vendor to independently test our security/vulnerability. This comprises daily delta testing, quarterly vulnerability testing and annual penetration testing. Reports are received as soon as available and work to correct issues found is prioritised based on risk.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach There is a daily bridge review of all risks and incidents which is internally escalated and reviewed.

We also employ a third party NCC (formerly CESG) CHECK vendor to independently test our security/vulnerability. This comprises daily delta testing, quarterly vulnerability testing and annual penetration testing. Reports are received as soon as available and work to correct issues found is prioritised based on risk.
Incident management type Supplier-defined controls
Incident management approach PayPoint is registered for ISO27001 and is PCI compliant. In the event of an incident, we will notify our clients via e-mail. If Users identify an incident, they should contact their Account Manager or the Operations bridge if outside core hours. PayPoint provide incident reports via e-mail where appropriate.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.05 to £0.25 per transaction
Discount for educational organisations Yes
Free trial available No

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑