PCI Pal Automated Payment Services

Customers expect businesses to provide
multiple payment and engagement options. PCI Pal’s Automated
Payments solution empowers customers to make
payments 24/7 without speaking with an agent or accessing
your website. Payments are handled within PCI Pal’s secure
cloud and can be integrated with your IVR or entirely within our platform.


  • De-scope for Contact Centre from PCI DSS Requirements
  • Secure financial transaction
  • Reduce call handling times
  • Improved customer experience


  • Prevent sensitive card data from entering your environment
  • Provide peace of mind for your customers
  • Improve both the customer and agent experience
  • Streamline your process when taking telephone payments
  • Multi Language Support
  • Extended Opening Hours
  • Automation of Payment Services


£204 to £360 per licence per year

Service documents

G-Cloud 11



Tony Smith

0330 131 0334


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Can be integrated with payment and CRM applications
Can be integrated as part of a contact centre or telecoms offering
Cloud deployment model Private cloud
Service constraints The service is agnostic to all connecting components: Telephony, Desktop (e.g. Billing or CRM system), and Payment Gateway.
System requirements
  • Access to Web Browser or Web-Interfacing Desktop Application
  • Each User must have access to a telephone

User support

User support
Email or online ticketing support Email or online ticketing
Support response times As per standard support times
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AAA
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels Standard support levels are

1. Urgent 1 Hour System Failure Critical disruption: Complete loss of PCI Pal services to one or more customer sites. Complete loss of credit card processing. Affecting all agents and all payment attempts.
2. High 4 Hours System Fault Major disruption: PCI Pal services suffering major disruption. Major disruption being defined as Issues impacting > 20% of agents or IVR payments, over a period of 1 hour, at any one customer site.
3. Medium 24 Hours Minor Fault Minor disruption: e.g. partial or reduced access to services, service affecting faults impacting < 20% of agents or IVR payments, over a period of 1 hour, at any one customer site. Non-service affecting faults.
4. Low 48 Hours Change Change: Change to system or configuration.
5 Low 72 Hours Query Question: General support questions, queries and analysis on retrospective and non-impacting issues.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The service is very simple for a user to use and the standard train-the-trainer and User Acceptance Testing can be completed in a single day. We are able to provide both remote, on-site and on-line learning packages. We can work alongside Training Departments for larger organisations or where more custom integrations have been created, to help build internal training programs for users.

The project will also include either on-site or remote go live support.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Export by PCI Pal
End-of-contract process PCI Pal will contact the user at the end of the contract to determine their requirements and agree a new term or exit process if required

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices No
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing Dragon, Read/Write Gold, JAWS, Zoom Text.
What users can and can't do using the API The service for Agents/Advisors (i.e. individual users) through the API is the same. By integrating a Desktop Billing System to the API, the user experience can be enhanced due to the fact that all necessary data can be passed directly to PCI Pal without manual input by the User.

Administrative Users have the ability to configure the service including integration points and configuration of the User Interface. This setup is usually performed by PCI Pal in the initial deployment of the service but full training and accreditation is available should the customer wish.

Changes are made via the Administration web-based environment and not directly through the API. The API allows interfacing between a customer Desktop Environment and PCI Pal via RESTful Web Services.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation User interface can be customised to accommodate specific user requirements. This work is carried out by the PCI Pal professional services team and is included within the standard deployment process.

Following suitable training and accreditation from PCI Pal, it is possible to enable a customer's development team to access and administer changes to the service.


Independence of resources For each User (end customer), PCI Pal sets a limit for accessing each component (Web and Telephony) into PCI Pal. An example of this is the number of simultaneous telephone calls allowed for each user. This is not the number of licences, but a maximum peak above the number of licences to allow some burst scenarios. Alerting is used within the platform and the nature of the Cloud service architecture means that additional capacity can be very quickly added when capacity thresholds are reached.


Service usage metrics Yes
Metrics types Both standard and customised usage reports are available to show volumes, transactions attempted based on different criteria.
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Service request to PCI Pal
Data export formats Other
Other data export formats
  • PDF
  • HTML
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Network Availability
PCI Pal offers a target service uptime availability to the Customer as follows: PCI Pal Platform Availability 99.999% average uptime per month

SLA Performance Metrics
Our performance metrics are measured 24/7/365 by our network monitoring infrastructure which will alert, by email, text message, and phone call, to our engineering team, who are also available 24/7/365.

Service Credits
Where the SLA is not met over the course of a single month period, PCI Pal agree to pay service credits to the Client as set out in this paragraph.

1. Failure to resolve a Priority 1 event within the service level will incur a service credit of £250 for the first failure in any month, followed by a service credit of £350 for the second and £450 for the third failure in any month. This is payable up to a maximum of 3 times per calendar month.

2. In addition, PCI Pal will credit a percentage of the monthly invoice value equivalent to the percentage of call failures in that month by the following:

Up to 20% call failures will receive a 10% reduction.
Above 20% call failures will receive a 25% reduction.
Approach to resilience Available on Request
Outage reporting Administrator Level Users can view service updates via the PCI Pal platform.
Email Alerts are also in place to report outages and updates.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Platform is tenanted in the web environment and only allows Admin-level users to have access to the management interfaces of their specific tenant. Admin-Level users can also create sub-tenants within their own tenant and grant sub-tenant admin access to users. Standard Users (Agents) access the system to simply conduct payments for end customers. They are not able to view any of the administrative areas of the system or change or modify the functionality of their payment screens.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 QMS International
ISO/IEC 27001 accreditation date 14/03/2017
What the ISO/IEC 27001 doesn’t cover N/A
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification 7Safe,Cambridge Technology Centre, Melbourn, Herts, SG8 6DP United Kingdom
PCI DSS accreditation date 13th October 2017
What the PCI DSS doesn’t cover We are a level 1 certified service provider
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes ISO 27001, ISO 22301, and PCI DSS compliant. PCI Pal adopts automatic and manual monitoring of systems to adhere to these policies.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Configuration and change requests are logged via our ticketing system (CR).
The CR must include a deployment plan, a rollback plan, a test plan and detail potential risks and impact to service, during the change window.
The CR is peer assessed before being passed for Change Manager and CAB approval.
A CAB is formed to assess and approve CRs on a weekly basis.
Once released, the change is tested and signed off.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Monthly reassessment to PCI DSS compliance;
Threats alerted from US-CERT, Cisco and Microsoft bulletins.
Patches deployed monthly if non-critical, within 3 days if critical.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Constant monitoring by ASV.
Centralised logging server is monitored.
Incident Response plan in place with response deadlines within 8 hours. Any service-affecting incidents adhere to the defined Priority Level SLAs for customer communication on top of the Incident Response plan mentioned above.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Incidents can be raised reactively by a customer or proactively via our monitoring tools.
All incidents are logged via our ticketing system (INC).
Incidents are triaged and assessed for impact then prioritised correctly.
Once resolved, the customer is contacted to confirm satisfactory resolution.
Problem tickets (PR) are raised for any necessary follow up investigations (root cause analysis etc) following a high priority incident.
For all high priority incidents, a full fault summary is provided once the investigation is complete.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £204 to £360 per licence per year
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑