Security & Data Protection


Committed to security, investing in technology

ParentPay sets the precedent for security in the school payments marketplace.
We strive to be at the forefront, setting the bar for our competitors to follow suit and keep our industry protected.
We take security and data protection seriously; we employ a full time dedicated security team to manage and maintain our Information Security Management System. The business invests heavily in technology, infrastructure and staff to ensure a safe and secure environment.
Our solutions have been reviewed and audited by a number of organisations including extensive technical and security due diligence by local authorities, central government departments and UK banks, as well as external audits that we have funded ourselves.
With a worldwide growth in cyber-security threats and an increase in data leaks and system compromises within household name organisations, we’re proud to offer in-house security capabilities typically only seen in large enterprises and specialist fields.

Security compliance

ParentPay is a certified PCI DSS Level 1 merchant, the highest level of compliance enforced by the PCI standard and demonstrates that we have been subject to comprehensive third party audits undertaken by a Qualified Security Assessor (QSA) who has been certified by the PCI Security Council to validate an entity's adherence to the PCI DSS.
Online payments are processed via the Realex internet payment gateway. Realex operates one of the most secure and resilient card processing networks in Europe and they are certified under PCI DSS.

Data centre security

Our school online payment system is hosted, managed and maintained in a secure and reliable data centre, fully compliant with and certified to ISO/IEC 27001 and PCI DSS.
The data centre environment provides a range of security and safety features for central payments for schools that help to guarantee business continuity and system security:
  • High security access control and CCTV monitoring
  • Round the clock technical and monitoring staff on-site
  • Automated daily data back-ups including secure off-site storage
  • Redundant power supplies and off-grid power systems
  • Connections to multiple Internet Service Provider backbones
  • Resilient environmental control systems (fire suppression, air conditioning and cooling).

Comprehensive infrastructure protection keeps data safe

ParentPay uses industry leading technologies, toolsets and providers to protect our systems and keep pupil, personal and financial data safe at all times. Some of our security suite controls include:
  • Intrusion detection systems
  • Enterprise firewalls
  • Two-factor-authentication
  • Vulnerability scanners
  • Anti-virus and anti-malware
  • Network cryptography
  • Endpoint encryption
  • Log consolidation and monitoring
  • Patch management
  • Penetration testing
  • System integrity checking
  • Security awareness training
  • Attack simulations and social engineering
  • Security information and event management
  • Comprehensive incident response plans.

Designed and developed to be secure

ParentPay has been designed with security in mind, and delivers end-to-end encryption from the client browser, right through to the bank.
ParentPay developers receive regular specialist security training to ensure the continued delivery of robust, secure and trusted source code.
Our payment system is subjected to vigorous external security testing by industry leading ethical hackers highly regarded in their field. These specialists help locate any potential weak points for remediation.

A complete finance audit trail

The ParentPay application creates a complete audit trail of all payments. Transaction references and identifiers link parent and school accounts to the payment and banking network.
Transactions and refunds are recorded with reference to the user keying the transaction to keep accountability. Transaction data is being retained for at least 6 years.

Data protection

We understand the importance of customer security and data protection – the security of children’s information is our absolute priority. We are registered as a Data Processor with the Information Commissioners Office (registration number is Z7380292).
ParentPay operates at all times under the legislation in the Data Protection Act (DPA) and within DPA guidelines. Our aim is to provide safe and secure online payments to school and to protect the personal data of schools, parents and children.
ParentPay are committed to compliance of the EU GDPR (EU General Data Protection Regulation) which comes into force on 25th May 2018. ParentPay have a programme underway to document their compliance in the way the new legislation requires us to.
Your school and Local Authority will already be registered as a Data Controller so you remain fully in control of accessing, managing and updating all your data in the system. Our commitment to the school to act responsibly as a data processor is covered in our terms and conditions, our organisation security policy and our privacy policy.
We work with your council’s IT, audit and security staff to provide security and data protection information when required. 
Glossary:
GDPR 
General Data Protection Regulation
ISO/IEC 27001
ISO/IEC 27001 is the International Standard for Information Security Management and is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.
PCI-DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive international security standards and requirements for enhancing payment account data security, developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures globally.
ICO
The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.