allpay Limited

Debit and Credit Card Payments

allpay’s Debit and Credit Card Payment Solutions are used by more than 550 clients encompassing all elements required to process a card payment. As well as providing a full range of front-end payment channels, allpay can provide organisations with a merchant account or work with their existing merchant account provider.

Features

  • Automated Telephone Payments (IVR)
  • Online eCommerce payments
  • Smartphone Mobile Application and SMS Text Payments
  • Virtual Terminal for call centre payments
  • DTMF call masking solution for Call Centres
  • Use of allpay’s APIs creates seamless integration
  • PCI-DSS compliant card acceptance solutions
  • Merchant Acquiring and payment gateway card acceptance solution
  • Recurring Card Payments

Benefits

  • Increase likelihood of payment through our inclusive payment services
  • Save time and money by reducing burden of PCI-DSS
  • Single contract for all card acceptance services
  • Higher payment rate with user friendly and intuitive payment services
  • No software installation or maintenance needed saves time and money
  • Secure online access to daily reconciliation files
  • Maximise cashflow with settlement to any bank account(s)
  • Reduce misallocated payments using unique, self checking customer reference number
  • Reduce administration with allpay’s simple management of multiple income streams
  • Budgeting simpler and clearer with allpay’s all-inclusive transaction charges

Pricing

£0.10 per transaction

Service documents

Framework

G-Cloud 11

Service ID

5 7 7 9 5 5 7 7 6 0 7 0 9 7 6

Contact

allpay Limited

Ailsa Tuck

01432852404

tenders@allpay.net

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
Any planned maintenance of solution will be carried out outside of the normal working day to minimise any disruption to the service. Clients will be made aware of any planned work prior to commencement.
System requirements
  • •The solution is browser based with only internet access required
  • •The solution is compatible with IE9 and above
  • •The solution is compatible with Chrome 24 and above
  • •The solution is compatible with Safari 9, Firefox 18
  • •The solution is compatible with Opera 15 and above

User support

Email or online ticketing support
Email or online ticketing
Support response times
Allpay’s 30-member strong UK in-house Customer Service Contact Centre (CSCC) team is available between 08:00 and 18:00 Monday to Friday for both client and payer queries. Outside these hours allpay ensures an engineer is on-call 24/7 for incidents.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Onsite support
Support levels
Outside the Customer Service Contact Centre hours 08:00-18:00 Monday to Friday, allpay ensures an engineer is on-call 24/7 for incidents. allpay provides a dedicated account manager for day to day queries including performance management, contract queries and any technical issues encountered.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Allpay will appoint a dedicated implementation contact to oversee the full implementation process – with weekly calls scheduled between them, the organisation's dedicated account manager and stakeholders at the Organisation. The implementation would vary depending on what card-acceptance service was utilised. Generally, organisations would be set-up to receive collected payments on allpay's systems and the organisation would be required to submit to allpay its cascading style sheet for payment page branding. If telephony services were utilised, allpay would require the completion of a questionnaire, allowing it to identify which non-geographical numbers the organisation would require re-routing through its secure cloud-based call masking service, ensuring customer keypad tones are masked when making a payment. On-site or web-based training can be provided on allpay’s cloud-based portals, allowing organisations to download Payment Information Files (PIFs), run reports, take payments and issue refunds, reconcile payments and create new accounts. Training will cover user permissions, ordering, approving and managing customer accounts, with specialist Support Teams available post go-live. Online Manuals will be provided.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Allpay will work with clients to ensure a smooth exit once the contact ends. Any client data will be returned in the format requested either via SFTP or securely via allpay's management portals.
End-of-contract process
Allpay's contract price covers the setting up of the service as agreed. If the contract has run its intended or extended term or for any other agreed reason we would return client data (as detailed in the previous question). We would offer (subject to the exact requirement) any assistance we can to allow a smooth exit and transfer to any new supplier.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Allpay provides mobile-optimised payment gateway pages in addition to a Mobile Payment App for bill payments. The mobile-optimised payment pages feature all the functionality of the desktop service.
Service interface
No
API
Yes
What users can and can't do using the API
Allpay can provide its payment processing APIs for organisations to utilise inside their own interfaces.
API documentation
Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Organisations can brand allpay's online payment pages. These would be hosted by allpay, reducing the burden of compliance to organisations.

Organisations can also record their own greeting and exit messages utilising allpay's automated telephone solution.

Scaling

Independence of resources
Allpay uses a number of utilisation tools to monitor its networks and associated equipment to ensure that all of its clients receive service in accordance with the agreed Service Levels expected. An automated reporting and monitoring process is in place for all platforms, with alert messaging provided to key business stakeholders at certain capacity thresholds. As the service components and client applications can be run on multiple servers and separate services, the architecture is inherently scalable. As such, the solution can easily grow onto multiple servers across data centres making the system horizontally scalable.

Analytics

Service usage metrics
Yes
Metrics types
A standard suite of reports is available and can be scheduled for delivery to the organisation, covering user management, transaction breakdowns and transaction history. allpay can also work with organisations to create bespoke reports with the option to have them scheduled. Additionally, real-time reports are available within allpay's Virtual Terminal solution which will allow organisations to view transaction history across all of allpay's card-acceptance channels.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Transfer of data between organisations and allpay uses 256-bit Advanced Encryption Standard (AES) over Transport Layer Security (TLS) 1.2, creating a secure link between the organisation’s internet browsers and allpay’s web servers, ensuring all data transmitted between the two remains secure. Data can be exported securely via allpay's management portals.
Data export formats
  • CSV
  • Other
Other data export formats
ASCII
Data import formats
  • CSV
  • Other
Other data import formats
ASCII

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
99.5% availability excluding downtime required for planned upgrade and maintenance.
Approach to resilience
Allpay’s data centres have full redundancy for all amenities and networking connectivity.  Its data centres operate with real-time data replication supporting real-time failover between them. This provides a 99.5% availability excluding downtime required for planned upgrade and maintenance.  allpay’s data centres are ISO 27001 certified. The allpay system is live 24/7/365.
Outage reporting
Organisations will be notified in advance of any scheduled maintenance. Scheduled maintenance is communicated via our cloud-based management portal, where a message will be displayed detailing the maintenance period. Additionally, emails would be sent directly to Super Users of the portal, who are sent the scheduled maintenance period by email. Additionally, allpay has a public-facing service status page detailing the availability of all its services at all times.

Identity and authentication

User authentication needed
Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
Access to allpay's management portals is authenticated via username and password. User accounts are configured with varying level of access available. The nominated super user at the organisation can create user accounts with configurable permissions. Roles can also be created to approve user actions e.g. transactions above specified value thresholds. Data is segregated in the system by unique client codes, ensuring each client only has access to their and their customers' data. Passwords must be a minimum of eight characters, alpha-numeric.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Alcumus ISOQAR
ISO/IEC 27001 accreditation date
04/12/2017
What the ISO/IEC 27001 doesn’t cover
TBC
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
Sysnet Global Solutions
PCI DSS accreditation date
09/02/2018
What the PCI DSS doesn’t cover
Allpay is directly PCI-DSS compliant and is a Level 1-certified Payment Service Provider and Payment Facilitator.
Other security certifications
Yes
Any other security certifications
  • MasterCard and Visa accreditation
  • DPA Registration
  • BACS Certificate of approval
  • Cyber Essentials Plus
  • ISO 9001
  • Authorised as Electronic Money Institution (Financial Conduct Authority)
  • ISO 27001

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
Allpay has a fully documented and audited Security Information Policy and ISO 27001 accreditation. allpay's Head of Compliance has overall responsibility for ensuring that the policy is followed - he reports to allpay's board of directors on any related matters. Since its inception in 1994 information security has been the cornerstone of allpay's operations. allpay maintains information resources which are essential to performing allpay business. Similar to any other capital resources owned by allpay, these resources are to be viewed as valuable assets over which allpay has both rights and obligations to manage, protect, secure, and control. allpay employees, contractors, third parties and other entities are expected to utilise these resources for appropriate purposes, protect access to them, and control them appropriately. Examples of information resources include, but are not limited to: Electronic data, Paper based information, reports, records and documents Information shared orally or visually (conversation, telephone call, or presentation) Information communicated in e-mails Computer Systems Networks Buildings People. A copy of the policy can be provided on request.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Allpay uses a Software Development Life Cycle (SDLC) for Software Development – a series of steps that provides a model for the development and lifecycle management of an application/software. Further to this, allpay has technical implementation plans and a change control board to verify changes prior to release into production. allpay uses an Agile development methodology and conforms to OWASP (Open Web Application Security Project). Developers also have training in secure coding techniques.   allpay internally code reviews all major applications and revisions against such criteria as the OWASP top 10. Practices also comply with ISO 27001 and Cyber Essentials Plus.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Allpay performs monthly internal and external vulnerability scans as required by PCI. Internal auditors review systems as required and in conjunction with the allpay audit plan devised to maintain compliance with ISO 27001 & PCI standards. IT Operations have implemented various tools to monitor the health of the network, e.g. Ops Manager, Apps Manager, Tripwire, SIEM, IPS/IDS, Sophos Suite etc. Checks are made for patches and updates daily, once alerted to a new patch, IT Support will download and review the new patch within four hours of its knowledge of release.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Vulnerability scans are run against the network infrastructure for devices on a scheduled periodic basis and reports are generated on the vulnerabilities identified across the assets in each network zone. In response to any identified compromise, allpay has a fully documented and audited Information Security Response Plan that covers all reports of information security weaknesses or events relating to any of the organisation’s information assets. This is available on request. allpay has in place SLAs for incident response management, detailing fix times, response times and interval updates for critical and high impact incidents. These are available on request.
Incident management type
Supplier-defined controls
Incident management approach
Allpay has pre-defined processes in place for incident management. This is inline with ISO 27001. allpay’s Information Security Policy Handbook provides a framework for the management of information security to minimise risk (this is available on request). The high-level procedure for responding to any security incident is as follows:   • Advise Head of Compliance  • Commence investigations  • Submit Security Incident form  • Identify and implement resolution  • Produce report  • Update documentation  • Advise management. Incident reports are available to clients through allpay's Customer Service Contact Centre.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£0.10 per transaction
Discount for educational organisations
No
Free trial available
No

Service documents

Return to top ↑