Data Privacy Certifications
to Security and Compliance

Learn how we keep your data safe and secure.

As a cloud service provider for its Quantum products and services, Billtrust stores and manages our client data in compliance with applicable laws and regulations to help you meet your obligations. Our enterprise cloud services are independently validated through third-party audits, continual self-assessment and legal oversight.


SSAE16 SOC 1 and SOC 2 Compliance

Since Billtrust is a cloud service providers (CSP) that clients utilize to outsource its Quantum products and services, we receive annual SOC 1 and 2 audits.  The American Institute of Certified Public Accountants (AICPA) developed the Service Organization Controls (SOC) framework, a standard for controls that safeguard the confidentiality and privacy of information stored and processed in the cloud. Service audits based on the SOC framework fall into two categories—SOC 1 and SOC 2—that apply to Billtrust Quantum product and services.

A SOC 1 audit, intended for CPA firms that audit financial statements, evaluates the effectiveness of a CSP’s internal controls that affect the financial reports of a customer using the provider’s cloud services. The Statement on Standards for Attestation Engagements (SSAE 16) is the standard under which the audit is performed, and is the basis of the SOC 1 report.

A SOC 2 audit gauges the effectiveness of a CSP’s system, based on the AICPA Trust Service Principles and Criteria. An Attest Engagement under Attestation Standards (AT) Section 101 is the basis of SOC 2 report.

At the conclusion of a SOC 1 or SOC 2 audit, the service auditor renders an opinion in a SOC 1 Type 2 or SOC 2 Type 2 report, which describes the CSP’s system and assesses the fairness of the CSP’s description of its controls. It also evaluates whether the CSP’s controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.

Billtrust Quantum products and services are audited annually against the SOC reporting framework by independent third-party auditors. The audit for Microsoft cloud services covers controls for data security, as applicable to in-scope trust principles for each service.

Billtrust has achieved SOC 1 Type 2, and SOC 2 Type 2 reports. In general, the availability of SOC 1 and SOC 2 reports is restricted to customers who have signed nondisclosure agreements with Billtrust.

Click here to learn more about: SSAE16 Compliance


PCI Compliance

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Organizations of all sizes must follow PCI DSS standards if they accept payment cards from the five major credit card brands—Visa, MasterCard, American Express, Discover, and the Japan Credit Bureau (JCB). Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data.

Billtrust completes an annual PCI DSS assessment using an approved Qualified Security Assessor (QSA). The auditor reviews Billtrust’s Information Security system, which includes validating billing management, POS card present, and internet/e-commerce. The PCI DSS designates four levels of compliance based on transaction volume. Billtrust is certified as compliant under PCI DSS version 3.1 at Service Provider Level 3 ( in this category 20,000 to 1 million transactions are processed).

The assessment culminates with an Attestation of Compliance (AoC) and Report on Compliance (RoC) issued by the QSA. The effective period for compliance is prospective and begins upon passing the audit and receiving the AoC from the assessor, and ends one year from the date the AoC is signed. The AoC is available to customers to show that Billtrust’s QSA has determined Billtrust to be in compliance with PCI DSS v3.1.

Clients who utilize Billtrust’s Quantum products and services can leverage Billtrust’s validation, thereby reducing the associated effort and costs of getting their own PCI DSS certification.

Billtrust is listed as a compliant service provider on MasterCard, VISA and American Express lists under the name of Factor Systems, Inc.

Click here to learn more about: PCI Data Security Standard


HIPAA Privacy

The Health Insurance Portability and Accountability Act (HIPAA) is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities—doctors’ offices, hospitals, health insurers, and other healthcare companies—with access to patients’ protected health information (PHI), as well as to business associates, such as cloud service and IT providers, that process PHI on their behalf. (Most covered entities do not carry out functions such as claims or data processing on their own; they rely on business associates to do so.)

Billtrust is a business associate for our clients, who are the covered entities.

The law regulates the use and dissemination of PHI in four general areas:

  • Privacy, which covers patient confidentiality.
  • Security, which deals with the protection of information, including physical, technological, and administrative safeguards.
  • Identifiers, which are the types of information that cannot be released if collected for research purposes.
  • Codes for electronic transmission of data in healthcare-related transactions, including eligibility and insurance claims and payments.

The scope of HIPAA was extended with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Together, HIPAA and HITECH Act rules include:

  • The HIPAA Privacy Rule, which focuses on the right of individuals to control the use of their personal information, and covers the confidentiality of PHI, limiting its use and disclosure.
  • The HIPAA Security Rule, which sets the standards for administrative, technical, and physical safeguards to protect electronic PHI from unauthorized access, use, and disclosure. It also includes such organizational requirements as Business Associate Agreements (BAAs).
  • The HITECH Breach Notification Final Rule, which requires giving notice to individuals and the government when a breach of unsecured PHI occurs.

HIPAA regulations require that covered entities and their business associates—in this case, Billtrust when it provides its HIPAA compliant products and services to covered entities—enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or BAAs, clarify and limit how the business associate can handle PHI, and set forth each party’s adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act. Once a BAA is in place, Billtrust customers—covered entities—can use its HIPAA compliant products and services to process and store PHI.

Currently there is no official certification for HIPAA or HITECH Act compliance, however; Billtrust undergoes annual audits conducted by a QSA auditor and is provided with a Certificate of Compliance.

Click here to learn more about: HIPAA Omnibus Rule


NACHA Compliance

NACHA is the trustee of the ACH Network, managing the development, administration and rules for the payment network that universally connects financial institutions in the U.S. The Network, which moves money and information directly from one bank account to another, supports more than 90 percent of the total value of all electronic payments in the U.S.  NACHA facilitates the expansion and diversification of electronic payments, supporting Direct Deposit and Direct Payment via ACH transactions, including ACH credit and debit payments; recurring and one-time payments; government, consumer and business transactions; international payments; and payments plus payment-related information. The NACHA Operating Rules & Guidelines is an annual publication produced by NACHA — The Electronic Payments Association.

Since Billtrust processes ACH payments on behalf of our clients both directly to our clients bank accounts or indirectly, processing into the Billtrust account first and then onto our client’s account, we must follow the NACHA Operating Rules & Guidelines.

The annual external audit of Billtrust ACH Operations is performed to verify compliance with the ACH Operating Rules and to meet audit requirements as detailed in Appendix Eight of the ACH Operating   Rules.  The audit results in a detailed report summarizing findings, if any and an audit certification.

Click here to learn more about: NACHA Operating Rules and Guidelines

Pandemic Plan & Annual Audit

As a result of various client requests and in addition to our disaster recovery plan, we have developed a pandemic plan which is tested annually.  A pandemic is a global disease outbreak.  The U.S. Department of Labor advises that a pandemic could affect as much as 40% of the workforce during peak influenza illness.  Employees could be absent because (1) they are sick or (2) must care for sick family members or (3) must care for children if schools or day care centers are closed or (4) are afraid to come to work.

In preparation for the pandemic plan test, Billtrust conducts Business Impact Analysis (BIA) on critical business functions that directly relate to the development, delivery and support for the services provided by Billtrust to their clients.  For the simulated home quarantine, at least 40% of Billtrust employees are requested to work from home on a specific date to ensure that all critical systems and services can continue to function normally. Work stoppage occurs at 2 print operations facilities to ensure that the remaining facilities can pick up the slack and function with normal production.

The results of the audit are a Pandemic Plan Test Report which can be distributed to external parties and a Pandemic Plan which is used internally in the case of a pandemic.

The Compliance Department is responsible for working with the auditor to coordinate and facilitate the audit.  Human Resources would be responsible for administering the plan in the case of a true pandemic.

Anti-Money Laundering / Know Your Customer Compliance

The purpose of our Anti- Money Laundering (AML) compliance plan is to establish the general framework for the fight against money laundering, terrorism, corruption and other financial crimes; to prevent money laundering and terrorist financing and to train specific personnel on legal and internal procedures. AML may also be called Know Your Customer (KYC), Customer Due Diligence (CDD) or Customer Identification Program (CIP).

As a third party payment processor, Billtrust is not considered a financial institution covered by the USA PATRIOT Act and, according to FinCEN administrative ruling FIN-2014-R009 is exempt from the definition of a money transmitter subject to the Bank Secrecy Act (BSA). Therefore, Billtrust does not have a regulatory obligation to maintain a formal AML program but the company is fully committed to prohibit and actively prevent money laundering and any activity that facilitates money laundering or the funding of terrorist or criminal activities by implementing elements of AML program that are applicable to our business.

There are five pillars to our AML program:

  1.    Designation of a Compliance Officer
  2.    Internal procedures and controls
  3.    Ongoing employee training
  4.    Independent annual auditor review and attestation
  5.    Risk-based, client due diligence procedures

Give Billtrust Quantum a Try