IT & Data Security

A list of suggested questions to ask your Direct Debit provider about IT and data security.


Security is of paramount importance when picking a provider, particularly when it comes to payments. You'll want to find a provider who can offer a proven high level of security.

The following list of suggested questions have been vetted by our security and technical team:

Question Explanation
1. Describe how access to payments data is controlled (i.e. who can access it, how accessing it works, details of encryption etc.) In general, these questions are around ensuring that the provider has established practices to ensure the security of payments data. Payments data should be encrypted and difficult to get access to.
2. Describe your password security guidelines and how these are enforced. For due diligence.
3. Has your system been externally penetration tested? If so, please attach a copy of the report (or at least the summary). A penetration test should be done by an external provider and should be done semi-annually at least; these ensure that any security vulnerabilities are discovered and resolved.
4. When was your system last externally penetration tested? For due diligence.
5. How often is your system externally penetration tested? For due diligence.
6. Describe how your application and its associated data is hosted (i.e. cloud, bare metal, local vs. remote, etc.). If you use any external providers, specify them and explain why they were chosen. For due diligence.
7. Are your data centres located in the EU? Specify where. For due diligence.
8. What software is used to generate Bacs submissions and how is access to these controlled? For due diligence.
9. How is physical security ensured? i.e. employee access, designated rooms for servers, etc. For due diligence.
10. Describe how the encryption of payment details works, including web-based encryption (e.g. HTTPS). Ensuring that the data is encrypted from end to end is crucial; transmission over the web should be TLS/HTTPS only, and SSL keys should be used internally and stored securely.

Our sample RFP includes all of the questions above and more. You can download it here and use it as a template for creating your own.

Note: The questions suggested on this page are intended as a starting place for writing your own RFP. They're provided for general information only: they're not intended to be prescriptive or to provide legal advice. We suggest working closely with your management to develop an RFP that is tailored towards the specific requirements of your business.

‹ View table of contents Next page ›

Latest features

How to set up Direct Debit – a guide for small businesses in Australia

In this guide we'll look at how Direct Debit can help your business. We'll cover the advantages and disadvantages and show you how you can quickly start accepting customer payments this way.

Cash collection causing headaches? 3 ways to automate the way you take payments

Processing, chasing and reconciling payments doesn't have be time consuming. In this guide, we compare three automated payment methods, and identify the pros and cons of each, to help you choose the right one for your business.

How to stop wasting time on cash collection: Five hacks for SMB owners

Sending out invoices, collecting payments and reconciling cash are time consuming tasks – costing SMBs 120 hours a year. In this guide, we’ve highlighted 5 hacks to help your cash collection process run more efficiently.

View all


Reference guides

View all