We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Factsheet

ScotPayments

Published
24 June 2025
Directorate
Digital Directorate
Topic
Public sector

A shared system that lets public bodies make payments to people and organisations.

Security

Reporting vulnerabilities 

If you think ScotPayments security has been breached, contact ScotPayments@gov.scot immediately. Live users with severe suspected breaches should use the urgent support details provided to their service manager. 

Please don't publicly share details of suspected breaches until they're fixed. The team can help with communications needs. 

Access 

ScotPayments is protected at network level and isn't openly available on the internet. 

The service team will work with your IT department to secure your access, typically using IP allow-lists so only authorised endpoints can access the system. 

Authentication 

The system requires authentication for all interactions, with all requests logged and checked. 

Users sign in through the Scottish Government's identity platform with Multi-Factor Authentication (MFA), supporting device-managed authenticator apps. 

During onboarding, the team sets up appropriate roles and permissions for users. 

HTTPS 

ScotPayments follows government HTTPS security guidelines, using TLS for authentication and secure connections. 

Organisations must: 

  • use HTTPS for all direct communication with ScotPayments 

  • use a current TLS cipher (TLS 1.3 recommended) 

Cloud Platform Security 

The service follows NCSC's Cloud Security Principles and uses the Scottish Government's Cloud Platform, aligning with standards including: 

  • Cloud Service Alliance Security, Trust & Assurance Registry (CSA STAR) 

  • Cloud Security Cloud Controls Matrix (CCM) 

  • National Cyber Security Centre Cloud Security Principles (NCSC CSP) 

  • ISO/IEC 27001:2013 

  • Open Web Application Security Project (OWASP) 

  • Centre for Internet Security (CIS) 

  • National Cyber Security Centre Cyber Assessment Framework (NCSC CAF) 

Governance, risk and compliance 

ScotPayments follows GovAssure principles and NCSC's Cyber Assessment Framework, with active governance and risk management. 

The ScotPayments Security and Privacy Design Authority oversees security, including technical, security and product teams plus external experts from the Scottish Government's Cyber Security Unit. 

Contact

If you'd like to learn more about ScotPayments, email: ScotPayments@gov.scot 

Join the beta 

ScotPayments is looking for new beta partners to join the service. To find out more see our blogs. 

Back to top