Six Degrees Technology Group Limited

Livepay - PCI Compliant SIP Trunking

The Livepay Service delivers PCI DSS compliance by masking credit card information from your agents and your existing call recording platforms. Livepay is a full resilient business grade service to be used with Six Degrees SIP trunking.

Features

• Inline service using DTMF to allow customers to make payments
• The Livepay Payment Portal is compatible with most modern browsers
• Number porting – retain existing numbers
• Resilient and highly available service
• Flexible call capacity options
• Proactively managed service
• Fraud monitoring
• Business grade IP telephony
• Integration with majority of payment service providers

Benefits

• Compatible with all SIP based customer PBXs, Gateways, or PBXs.
• Resilient, scalable and highly available service
• Flexible technical and commercial models
• Quick and efficient route to achieving PCI compliance
• Cost effective solution

£15.50 a unit a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at publicsector.sales@6dg.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

880828253708196

Contact

Rob Walton
07813303485
publicsector.sales@6dg.co.uk

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: Livepay must be used with Six Degrees SIP Trunking.
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: Livepay is hosted on Six Degrees infrastructure and must be used with the Six Degrees SIP trunking service. Calls must route through the Six Degrees network in order to use the Livepay service.
• System requirements:
  • SIP RFC3261 compliant PABX, gateway or SBC
  • Sufficient customer SIP trunk capacity
  • Integration with customer's payment gateway provider

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Please see Service Description for all SLAs and KPIs
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Full support of services are provided as standard via our Support Desk. The Support Desk is available 24x7 and is manned by 1st/2nd line support engineers. The service desk has direct escalation to the operations team where full 3rd line support is provided. ; ; Full out of hours support is also provided for all P1 and P2 incidents with clear escalation paths.; ; All customers are allocated a service delivery manager who is responsible for ensuring the smooth delivery of the service, acts as an escalation point for all incidents, and provides full monthly service reporting.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Not applicable for SIP services.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats: Microsoft Word and Excel
• End-of-contract data extraction: Not applicable for SIP services.
• End-of-contract process: We will provide transition services within reason to help the customer move to another service.

Using the service

• Web browser interface: No
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• Description of service interface: Users can raise support tickets and change requests etc. through Six Degrees' online customer portal, which is provided via our chosen IT Service Management tool.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: None.
• API: No
• Customisation available: Yes
• Description of customisation: Users can choose geographical and non-geographical numbering from the UK and rest of world. We can provide load sharing, active / standby configurations for SIP endpoints and trunk capacity to suit their requirements.

Scaling

• Independence of resources: We proactively manage our network capacity to ensure we have sufficient headroom. We configure all customer trunks with their number of contracted channels to ensure one customer cannot impact another customer's ability to use the service.

Analytics

• Service usage metrics: Yes
• Metrics types: We are able to provide SIP trunk utilisation statistics including the number of calls.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Not applicable for SIP services.
• Data export formats: Other
• Other data export formats: Not applicable for SIP services.
• Data import formats: Other
• Other data import formats: Not applicable for SIP services.

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: SIP traffic terminates on the Six Degrees Session Border Controllers (SBCs) which act as back to back user agents (B2BUA), which provides robust security between networks. Traffic is unencrypted as standard, TLS and SRTP is available as a separate cost option.
• Data protection within supplier network: Other
• Other protection within supplier network: Data (SIP traffic) within the Six Degrees network is authenticated based upon a known IP address which provides a high level of security. Different customers' traffic is separated into different MPLS VRFs.

Availability and resilience

• Guaranteed availability: 99.99% uptime for resilient SIP trunks and an R-Factor greater than 85.
• Approach to resilience: Our service is designed with no single points of failure - we have geographically diverse and highly available session border controller clusters, multiple physical and logical carrier trunks and a multi-path QOS enabled MPLS network over which services run.
• Outage reporting: We have a suite of network management tools that proactively alert should there be any service issues.

Identity and authentication

• User authentication needed: Yes
• User authentication: Other
• Other user authentication: SIP trunk IP address authentication.
• Access restrictions in management interfaces and support channels: SIP trunk IP address authentication. The Six Degrees SBCs will only allow traffic from known customer IP addresses. Traffic from other source IP addresses will be discarded.; ; Only authorised contacts are granted access rights to the service. The Support Desk will only accept requests from authorised contacts. Communication with anybody at Six Degrees will need to be pre-approved by a known individual in writing. Management of the infrastructure is via dedicated connectivity and out of band of customer data and customer networks
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Lloyd's Register Quality Assurance (LRQA)
• ISO/IEC 27001 accreditation date: 17/04/2020
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Convergent Network Solutions
• PCI DSS accreditation date: 01/06/2018
• What the PCI DSS doesn’t cover: Only the physical and environmental security at Six Degrees' data centres in Birmingham, London and Studley were included in this assessment. The relates to the provision of the secure physical environment for the Colocation Services with Six Degrees provides to its clients. All other services provided by Six Degrees, internal systems supporting business operations or for other clients are specifically excluded from this assessment.
• Other security certifications: Yes
• Any other security certifications:
  • PSN Compliance Certified
  • Cyber Essentials Plus

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials & PSN
• Information security policies and processes: All ISO 27001:2013 controls and associated policies are in place. Enhanced weekly and quarterly external approved scanning vendor (ASV) vulnerability scanning. Six Degrees comply with our PSN CoCo which is aligned to our security principles that allows us to deliver our customers PSN Secure and Protect.; Six Degrees operate a rolling internal audit programme to ensure continuity of compliance to our various accreditations , as well as internal technical auditing of our systems through the use of various integrity checks. This ensures that there is always a fully justified and documented Change Request for any modification of our secure systems.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: All non-standard changes must be pre-authorised by going through a peer, senior and CAB approval process. Standard changes are created in template form and are approved in CAB before being implement into Change controls.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Six Degrees (Public Sector) run an internal vulnerability test once a week. All reported vulnerabilities that are reported are categorised into priority depending on the severity and a case is logged with the operation team who will fix the vulnerability under the time frames dictated by Public sector patching policy. This conforms to the PCI-DSS standard.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Six Degrees (Public Sector) have a protective monitoring system where all logs are centralised and checked on a daily basis for security breaches using several key search filters. Alerts are sent out for high risk activity and are pro-actively responded to by the operations and security teams. This conforms to the PCI DSS standard.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Six Degrees operate an ITIL aligned incident management process with associated procedures for security related incidents. The process has a clearly defined governance framework, including roles & responsibilities, clear policies and associated KPIs. This process conforms to PCI DSS.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Public Services Network (PSN)

Pricing

• Price: £15.50 a unit a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: We can provide free Livepay SIP channel rental for a period of 3 months, the customer pays for call usage.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at publicsector.sales@6dg.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.