Security and compliance

GOV.UK Pay provides a safe and Payment Card Industry (PCI) compliant platform to process card payments.

You can find more information about our security and compliance in the memorandum of understanding (for crown bodies) and contract (for non-crown bodies, for example local authorities and the NHS). These are available in the footer when you sign in to your account.

PCI compliance

GOV.UK Pay is certified as a level 1 service provider with the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1. The PCI DSS provides guidance to help maintain payment security.

If you need to see proof of our compliance(also known as ‘attestation of compliance’), just sign in to your test account and you’ll find a link to it in the footer.

If you’d like to take payments by phone or post, you’ll also need to be PCI compliant. Before you can take payments like this, you’ll need to show us proof of your PCI compliance.

For a trial period, we’re going to be offering free 1-2-1 support on all your PCI questions. So, get in touch with all your questions.

More information about PCI compliance is in our technical documentation.

Government security guidelines

GOV.UK Pay supports the government HTTPS security guidelines.

HTTPS protects information from being intercepted by malicious third parties as it travels over the internet. Using HTTPS ensures our connections on GOV.UK Pay are secure.

GOV.UK Pay also supports all the mandatory requirements for Government ICT systems and services.

GOV.UK Pay is independently tested

The GOV.UK Pay environment is regularly tested by independent suppliers.

This includes:

  • at least one annual IT Health Check
  • internal and external vulnerability scanning

GOV.UK Pay is also independently assessed for its PCI DSS compliance.

Data handling

We only collect the data necessary to run GOV.UK Pay.

We won’t retain that data any longer than we need it, and definitely no longer than 7 years, and only share it if it’s necessary to run GOV.UK Pay or if required by law.

GOV.UK Pay is the data processor and your service is the data controller. The data protection/data processing agreement is in schedule 4 of the memorandum of understanding and schedule 5 of the contract.

Liability

Section 13 in the memorandum of understanding and contract sets out the liability between GOV.UK Pay and your service.

Fraud prevention

While anti-fraud measures are generally set by your payment service provider, we have designed some features to help.

For instance, you can block users from using prepaid cards to make payments. Or, Worldpay users can set their account to refuse a transaction if IP address isn’t provided. This is particularly useful if your service has a higher risk profile.

Cloud Security Principles

GOV.UK Pay has implemented the NCSC Cloud Security Principles.

Accessibility

GOV.UK Pay is fully compliant with the Web Content Accessibility Guidelines version 2.1 AA. More information is in our accessibility statement.

GOV.UK Service Manual

GDS services follow the standards described in the GOV.UK Service Manual.

The standards describe the best way to build and run a service and include advice about:

  • accessibility and assisted digital
  • agile delivery
  • design
  • technology

Further information

Further detail about security and compliance is available in the memorandum of understanding (for crown bodies) and contract (for non-crown bodies) and in our technical documentation.