PCI Pal Automated Payment Services
Customers expect businesses to provide
multiple payment and engagement options. PCI Pal’s Automated
Payments solution empowers customers to make
payments 24/7 without speaking with an agent or accessing
your website. Payments are handled within PCI Pal’s secure
cloud and can be integrated with your IVR or entirely within our platform.
- De-scope for Contact Centre from PCI DSS Requirements
- Secure financial transaction
- Reduce call handling times
- Improved customer experience
- Prevent sensitive card data from entering your environment
- Provide peace of mind for your customers
- Improve both the customer and agent experience
- Streamline your process when taking telephone payments
- Multi Language Support
- Extended Opening Hours
- Automation of Payment Services
£204 to £360 per licence per year
0330 131 0334
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||
Can be integrated with payment and CRM applications
Can be integrated as part of a contact centre or telecoms offering
|Cloud deployment model||Private cloud|
|Service constraints||The service is agnostic to all connecting components: Telephony, Desktop (e.g. Billing or CRM system), and Payment Gateway.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||As per standard support times|
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||WCAG 2.1 AAA|
|Phone support availability||24 hours, 7 days a week|
|Web chat support||No|
|Onsite support||Onsite support|
Standard support levels are
1. Urgent 1 Hour System Failure Critical disruption: Complete loss of PCI Pal services to one or more customer sites. Complete loss of credit card processing. Affecting all agents and all payment attempts.
2. High 4 Hours System Fault Major disruption: PCI Pal services suffering major disruption. Major disruption being defined as Issues impacting > 20% of agents or IVR payments, over a period of 1 hour, at any one customer site.
3. Medium 24 Hours Minor Fault Minor disruption: e.g. partial or reduced access to services, service affecting faults impacting < 20% of agents or IVR payments, over a period of 1 hour, at any one customer site. Non-service affecting faults.
4. Low 48 Hours Change Change: Change to system or configuration.
5 Low 72 Hours Query Question: General support questions, queries and analysis on retrospective and non-impacting issues.
|Support available to third parties||Yes|
Onboarding and offboarding
The service is very simple for a user to use and the standard train-the-trainer and User Acceptance Testing can be completed in a single day. We are able to provide both remote, on-site and on-line learning packages. We can work alongside Training Departments for larger organisations or where more custom integrations have been created, to help build internal training programs for users.
The project will also include either on-site or remote go live support.
|End-of-contract data extraction||Export by PCI Pal|
|End-of-contract process||PCI Pal will contact the user at the end of the contract to determine their requirements and agree a new term or exit process if required|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||No|
|Accessibility standards||WCAG 2.1 AA or EN 301 549|
|Accessibility testing||Dragon, Read/Write Gold, JAWS, Zoom Text.|
|What users can and can't do using the API||
The service for Agents/Advisors (i.e. individual users) through the API is the same. By integrating a Desktop Billing System to the API, the user experience can be enhanced due to the fact that all necessary data can be passed directly to PCI Pal without manual input by the User.
Administrative Users have the ability to configure the service including integration points and configuration of the User Interface. This setup is usually performed by PCI Pal in the initial deployment of the service but full training and accreditation is available should the customer wish.
Changes are made via the Administration web-based environment and not directly through the API. The API allows interfacing between a customer Desktop Environment and PCI Pal via RESTful Web Services.
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||
User interface can be customised to accommodate specific user requirements. This work is carried out by the PCI Pal professional services team and is included within the standard deployment process.
Following suitable training and accreditation from PCI Pal, it is possible to enable a customer's development team to access and administer changes to the service.
|Independence of resources||For each User (end customer), PCI Pal sets a limit for accessing each component (Web and Telephony) into PCI Pal. An example of this is the number of simultaneous telephone calls allowed for each user. This is not the number of licences, but a maximum peak above the number of licences to allow some burst scenarios. Alerting is used within the platform and the nature of the Cloud service architecture means that additional capacity can be very quickly added when capacity thresholds are reached.|
|Service usage metrics||Yes|
|Metrics types||Both standard and customised usage reports are available to show volumes, transactions attempted based on different criteria.|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider|
|Protecting data at rest||Physical access control, complying with another standard|
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||Service request to PCI Pal|
|Data export formats||Other|
|Other data export formats||
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||
Availability and resilience
PCI Pal offers a target service uptime availability to the Customer as follows: PCI Pal Platform Availability 99.999% average uptime per month
SLA Performance Metrics
Our performance metrics are measured 24/7/365 by our network monitoring infrastructure which will alert, by email, text message, and phone call, to our engineering team, who are also available 24/7/365.
Where the SLA is not met over the course of a single month period, PCI Pal agree to pay service credits to the Client as set out in this paragraph.
1. Failure to resolve a Priority 1 event within the service level will incur a service credit of £250 for the first failure in any month, followed by a service credit of £350 for the second and £450 for the third failure in any month. This is payable up to a maximum of 3 times per calendar month.
2. In addition, PCI Pal will credit a percentage of the monthly invoice value equivalent to the percentage of call failures in that month by the following:
Up to 20% call failures will receive a 10% reduction.
Above 20% call failures will receive a 25% reduction.
|Approach to resilience||Available on Request|
Administrator Level Users can view service updates via the PCI Pal platform.
Email Alerts are also in place to report outages and updates.
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||Platform is tenanted in the web environment and only allows Admin-level users to have access to the management interfaces of their specific tenant. Admin-Level users can also create sub-tenants within their own tenant and grant sub-tenant admin access to users. Standard Users (Agents) access the system to simply conduct payments for end customers. They are not able to view any of the administrative areas of the system or change or modify the functionality of their payment screens.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||Username or password|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||QMS International|
|ISO/IEC 27001 accreditation date||14/03/2017|
|What the ISO/IEC 27001 doesn’t cover||N/A|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Who accredited the PCI DSS certification||7Safe,Cambridge Technology Centre, Melbourn, Herts, SG8 6DP United Kingdom|
|PCI DSS accreditation date||13th October 2017|
|What the PCI DSS doesn’t cover||We are a level 1 certified service provider|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||ISO 27001, ISO 22301, and PCI DSS compliant. PCI Pal adopts automatic and manual monitoring of systems to adhere to these policies.|
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
Configuration and change requests are logged via our ticketing system (CR).
The CR must include a deployment plan, a rollback plan, a test plan and detail potential risks and impact to service, during the change window.
The CR is peer assessed before being passed for Change Manager and CAB approval.
A CAB is formed to assess and approve CRs on a weekly basis.
Once released, the change is tested and signed off.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
Monthly reassessment to PCI DSS compliance;
Threats alerted from US-CERT, Cisco and Microsoft bulletins.
Patches deployed monthly if non-critical, within 3 days if critical.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
Constant monitoring by ASV.
Centralised logging server is monitored.
Incident Response plan in place with response deadlines within 8 hours. Any service-affecting incidents adhere to the defined Priority Level SLAs for customer communication on top of the Incident Response plan mentioned above.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
Incidents can be raised reactively by a customer or proactively via our monitoring tools.
All incidents are logged via our ticketing system (INC).
Incidents are triaged and assessed for impact then prioritised correctly.
Once resolved, the customer is contacted to confirm satisfactory resolution.
Problem tickets (PR) are raised for any necessary follow up investigations (root cause analysis etc) following a high priority incident.
For all high priority incidents, a full fault summary is provided once the investigation is complete.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£204 to £360 per licence per year|
|Discount for educational organisations||No|
|Free trial available||No|