allpay provides a comprehensive over-the-counter network payments service utilising more than 40,000 PayPoint and Post Office outlets and branches nationwide, providing organisations with daily transaction data via its secure cloud-based portal. Payments can be made via barcoded bill or plastic payment card.
- Payment acceptance at more than 40,000 Post Office and PayPoints
- Nearly 12,000 Post Offices accepting cash, debit cards and cheques
- Nearly 30,000 PayPoint outlets accepting cash and debit cards
- Both networks from one supplier for collecting rent, tax etc
- Cleared funds settled into bank account of your choice
- Competitive and flexible transaction pricing
- Secure online access to daily reconciliation files, reduces administration
- Choice of payment media: barcoded bills or plastic swipecards
- Card and stationery ordering using our cloud-based portal
- Simple integration with back-office systems
- Maximise collection rates using the widest range of payment outlets
- Reduce arrears by providing payment convenience for customers
- Reduce administration through a single contract for networks and stationery
- Maximise cashflow through settlement to any bank account
- Increase efficiency through a single set of daily reconciliation files
- Promote your own branding through bespoke design of swipe cards
- Save back-office time through easy integration with management systems
- Consistent service across multiple sites through cloud-based portal
- Ensure service continuity through our tried and trusted implementation service
- Our simple method of managing multiple income streams, reduces administration
£0.299 per transaction
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
|Service constraints||Any planned maintenance of solution will be carried out outside of the normal working day to minimise any disruption to service. Clients will be made aware of any planned work prior to commencement.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Allpay’s 30-member strong UK in-house Customer Service Contact Centre (CSCC) team is available between 08:00 and 18:00 Mon to Fri for bill payer and organisation queries.
Currently, 97.4% of service user enquiries are resolved within 24 hours, with nearly 90% resolved ‘at time of call’.
Calls are logged on allpay’s Customer Relationship Management (CRM) database, assigned a case number, and responded to within four hours and resolved with minimal delay.
Outside these hours allpay ensures an engineer is on-call 24/7 for incidents.
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Onsite support|
|Support levels||Outside the Customer Service Contact Centre hours, allpay ensures an engineer is on-call 24/7 for incidents.|
|Support available to third parties||Yes|
Onboarding and offboarding
Allpay will appoint a dedicated implementation contact to oversee the full implementation process – with weekly calls scheduled between them, the organisation's dedicated account manager and stakeholders at the Organisation. Typically the implementation would involve confirmation of payment media, payment methods, service settings at both payment networks, card and carrier approval and the receipt of test payment files to ensure compatibility.
On-site or web-based training can be provided on allpay’s cloud-based portal, Webconnect, allowing organisations to download Payment Information Files (PIFs) and reconcile payments. Webconnect is also the same system organisations would use to order payment cards either individually or in bulk. Training will cover user permissions, ordering, approving and cancelling cards, ordering single/bulk cards and viewing request history, with specialist Support Teams available post go-live.
Online Manuals will be provided.
|End-of-contract data extraction||Allpay will work with clients to ensure a smooth exit once the contact ends. Any client data will be returned in the format requested either in encrypted media form or over the secure online management tool.|
|End-of-contract process||Our contract price covers the setting up of the service as agreed. If the contract has run its intended or extended term or for any other agreed reason we would return client data (as detailed in the previous question). We would offer (subject to the exact requirement) any assistance we can to allow a smooth exit and transfer to any new supplier.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||A Mobile Payment App can be provided for mobile bill payment transactions.|
|Accessibility standards||WCAG 2.0 AAA|
Our cloud-based portals are compatible with IE9 and above, Chrome 24 and above, Safari 7, Firefox 18 and above, Opera 15 and above. The sites also conform to industry standards: AA of W3C and are compliant with the Equality Act 2010.
Testing is being considered and suitable clients are being identified.
|Description of customisation||
User permissions for the cloud-based portal, file formats to ensure compatibility, payment cards and carrier letters which are delivered to bill payers, how to pay leaflets.
Additionally, Payment Information Files can set to automatically download to the organisation's desired location via our free of charge plug-in Autoconnect
|Independence of resources||Allpay uses a number of utilisation tools to monitor its networks and associated equipment to ensure that all of our clients receive service in accordance with the Service Levels expected. Regular meetings take place to analyse the data and any improvement plans are then put forward for review. allpay has always invested in the latest and best technology to ensure we continue to meet all of our contractual commitments.|
|Service usage metrics||Yes|
|Metrics types||Allpay can work with clients to create bespoke reports and all reports have the option to be scheduled. Several different output formats are supported by default which cover the majority of industry standards. Ready access to this information will enable clients to understand their customers’ needs and help mark out areas for growth or to target for efficiency gains.|
|Supplier type||Reseller providing extra features and support|
|Organisation whose services are being resold||Post Office and PayPoint provide payment networks.|
|Staff security clearance||Other security clearance|
|Government security clearance||None|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Supplier-defined controls|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||Physical access control, complying with another standard|
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||To ensure integrity, transfer of data e.g. payment information files between clients and allpay is conducted via Webconnect, a secure, web-based, client communication portal developed and supported by allpay. Webconnect runs on Web Servers located at allpay’s data centres and will not require any installation on the user's (client) computer. It uses 256-bit Advanced Encryption Standard (AES) over Transport Layer Security (TLS) 1.2, creating a secure link between the organisation’s internet browsers and allpay’s web servers, ensuring all data transmitted between the two remains secure.|
|Data export formats||
|Other data export formats||ASCII|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||
Availability and resilience
|Guaranteed availability||99.95, assured by contractual commitment.|
|Approach to resilience||
The allpay business continuity management system ensures that we can handle disruptive incidents. allpay’s data centres have full redundancy for all amenities and networking connectivity. Our data centres operate with real-time data replication supporting real-time failover between them. This provides a 99.5% availability excluding downtime required for planned upgrade and maintenance. Our data centres are ISO 27001 certified.
The allpay system is live 24/7/365. All hardware and software is reviewed and maintained on a regular basis. Access to the data is controlled and audited on a regular basis.
Key processes relating to transaction processing have failover plans to ensure alternative options are available in the event of a disruptive incident, such as a primary communications fail between allpay and partner networks.
allpay performs regular testing and maintenance of critical business functions alongside ongoing development of the existing service provision.
|Outage reporting||Organisations will be notified in advance of any scheduled maintenance. Scheduled maintenance is communicated via our cloud-based messaging portal, Webconnect, where a message will be displayed detailing the maintenance period. Additionally, emails would be sent directly to Super Users of the portal, who are sent the scheduled maintenance period by email.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||
Access and connectivity security is our priority and we aim to offer the most secure but easy to use environment.
Access to allpay is via our cloud-based Webconect system. Access to Webconnect is granted by allpay providing the organisation with details of the Administrator account. It's the responsibility of the Administrator to change the initial password, set up user accounts and provide users with their account login details. We have a specific password structure to be followed. Other support channels are telephone and email. allpay would verify the initiator of any support request before dealing with any secure information.
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Alcumus ISOQAR|
|ISO/IEC 27001 accreditation date||05/12/2008|
|What the ISO/IEC 27001 doesn’t cover||TBC|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Who accredited the PCI DSS certification||Sysnet Global Solutions|
|PCI DSS accreditation date||14/02/2017|
|What the PCI DSS doesn’t cover||Allpay is directly PCI-DSS compliant and is a Level 1-certified payment service provider|
|Other security accreditations||Yes|
|Any other security accreditations||
|Named board-level person responsible for service security||Yes|
|Security governance accreditation||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||Allpay has a fully documented and audited Security Information Policy and ISO 27001 accreditation. allpay's Head of Compliance has overall responsibility for ensuring that the policy is followed - he reports to our board of directors on any related matters. Since its inception in 1994 information security has been the corner stone of our operations. allpay maintains information resources which are essential to performing allpay business. Similar to any other capital resources owned by allpay, these resources are to be viewed as valuable assets over which allpay has both rights and obligations to manage, protect, secure, and control. allpay employees, contractors, third parties and other entities are expected to utilise these resources for appropriate purposes, protect access to them, and control them appropriately. Examples of information resources include, but are not limited to: Electronic data, Paper based information, reports, records and documents Information shared orally or visually (conversation, telephone call, or presentation) Information communicated in e-mails Computer Systems Networks Buildings People. A copy of the policy can be provided on request.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||All internal servers deployed at allpay must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by IT Support. Operational groups shall monitor configuration compliance. Each operational group must establish a process for changing the configuration guides, which includes review and approval by IT Support.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Allpay performs monthly internal and external vulnerability scans as required by PCI. Internal auditors review systems as required and in conjunction with the allpay audit plan devised to maintain compliance with ISO 27001 & PCI standards. IT Operations have implemented various tools to monitor the health of the network, e.g. Ops Manager, Apps Manager, Tripwire, SIEM, IPS/IDS, Sophos Suite etc.
Checks are made for patches and updates daily, once alerted to a new patch, IT Support will download and review the new patch within four hours of its knowledge of release.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Using industry standard equipment our IT Operations team constantly analyse network traffic for signs of denial of service or other external attacks. allpay's Head of Compliance will be informed and immediate action taken if necessary.
In response to any identified compromise, allpay has a fully documented and audited Information Security Response Plan that covers all reports of information security weaknesses or events relating to any of the organisation’s information assets. Together with any events or weaknesses detected through any of the monitoring and alert services that are used to detect information security events.
|Incident management type||Supplier-defined controls|
|Incident management approach||
Any possible security breaches would be reported to the client's contracts manager as soon as possible. allpay has mechanisms in place to manage Containment and Recovery, Risk Assessment, Notification of Breach, and Evaluation and Response. allpay’s Information Security Policy Handbook provides a framework for the management of information security to minimise risk.
The framework contains details of policies, processes and procedures relating to Risk Management, Information Security, Asset Management, Information Classification, Personnel Security, Physical and Environmental Security, Communication and Operations Management, Housekeeping, Access Control, Development and Maintenance, Third-Party Management, Business Continuity, Legal Compliance and Contractual Security Requirements.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£0.299 per transaction|
|Discount for educational organisations||No|
|Free trial available||No|
|Pricing document||View uploaded document|
|Service definition document||View uploaded document|
|Terms and conditions document||View uploaded document|