Skip to content

Security and Compliance Certifications

Learn how we keep your data safe and secure.

As a cloud service provider for its products and services, Billtrust stores and manages our client data in compliance with applicable laws and regulations to help you meet your obligations. Our enterprise cloud services are independently validated through third-party audits, continual self-assessment and legal oversight.

SSAE 18 SOC 1 and SOC 2

Since Billtrust is a cloud service providers (CSP) that clients utilize to outsource its products and services, we conduct annually a SSAE 18 SOC 1 Type 2 and SOC 2 Type 2 audit.  Our audits are performed by an accredited, independent third party.

A SOC 1 audit, intended for CPA firms that audit financial statements, evaluates the effectiveness of a CSP’s internal controls that affect the financial reports of a customer using the provider’s cloud services. The Statement on Standards for Attestation Engagements (SSAE 18) is the standard under which the audit is performed, and is the basis of the SOC 1 report.

A SOC 2 audit gauges the effectiveness of a CSP’s system, based on the AICPA Trust Service Criteria. An Attestation Engagement under Attestation Standards (AT) Section 101 is the basis of SOC 2 report.  At a minimum, Billtrust includes Security, Confidentiality, and Availabilityin the SOC 2 audit. 

PCI Compliance

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Organizations of all sizes must follow PCI DSS standards if they accept payment cards from the five major credit card brands—Visa, MasterCard, American Express, Discover, and the Japan Credit Bureau (JCB). Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data.

Billtrust completes an annual PCI DSS assessment using an approved Qualified Security Assessor (QSA). The assessment culminates with an Attestation of Compliance (AoC) and Report on Compliance (RoC) issued by the QSA. The effective period for compliance is prospective and begins upon passing the audit and receiving the AoC from the assessor, and ends one year from the date the AoC is signed. Billtrust is certified as compliant under PCI DSS version 3.2.1 at Service Provider Level 1.

Clients who utilize Billtrust’s PCI complaint products and services significantly reduce the scope, cost and effort of their own PCI compliance assessments.

Billtrust is listed as a compliant service provider on VISA approved service provider lists under the name of Factor Systems.

HIPAA Privacy

The Health Insurance Portability and Accountability Act (HIPAA) is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities—doctors’ offices, hospitals, health insurers, and other healthcare companies—with access to patients’ protected health information (PHI), as well as to business associates, such as cloud service and IT providers, that process PHI on their behalf. (Most covered entities do not carry out functions such as claims or data processing on their own; they rely on business associates to do so.)

Billtrust is a business associate for some of our clients, who are the covered entities.

HIPAA regulations require that covered entities and their business associates—in this case, Billtrust when it provides services to covered entities—enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or BAAs, clarify and limit how the business associate can handle PHI, and set forth each party’s adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act. Currently there is no official certification for HIPAA or HITECH Act compliance, however; Billtrust undergoes an annual risk assessment.

NACHA Compliance

NACHA is the trustee of the ACH Network, managing the development, administration and rules for the payment network that universally connects financial institutions in the U.S. The Network, which moves money and information directly from one bank account to another, supports more than 90 percent of the total value of all electronic payments in the U.S. NACHA facilitates the expansion and diversification of electronic payments, supporting Direct Deposit and Direct Payment via ACH transactions, including ACH credit and debit payments; recurring and one-time payments; government, consumer and business transactions; international payments; and payments plus payment-related information. The NACHA Operating Rules & Guidelines is an annual publication produced by NACHA — The Electronic Payments Association.

Billtrust processes ACH payments on behalf of our clients both as a Third Party Service Provider as well as a Third Party Sender Billtrust performs an annual, independent, external audit of our ACH Operations as required by the ACH Operating Rules

Pandemic Readiness, Business Continuity and Disaster Recovery

Billtrust performs an annual Business Continuity and Disaster Recovery risk assessment. Our plans are based on NFPA1600 Standard for Disaster/Emergency Management and Business Continuity/Continuity of Operations (2019 edition).

Billtrust performs an annual Business Continuity and Disaster Recovery risk assessment. Our plans are based on NFPA1600 Standard for Disaster/Emergency Management and Business Continuity/Continuity of Operations (2019 edition).

Billtrust has also maintains a pandemic plan which is tested annually and was successfully implemented due to the COVID-19 pandemic.  Over 90% of Billtrust’s workforce successfully fulfilled our business functions and roles while working remotely. Billtrust continues to employ this as a continued business strategy. 

Anti-Money Laundering

Billtrust maintains a documented Anti-Money Laundering (AML) program designed to meet its contractual obligations with its sponsor banks. The purpose of our AML) program is to establish the general framework for the fight against money laundering, terrorism, corruption and other financial crimes; to prevent money laundering and terrorist financing and to train specific personnel on legal and internal procedures. AML may also be called Know Your Customer (KYC), Customer Due Diligence (CDD) or Customer Identification Program (CIP).

Privacy Shield Certified

We no longer rely on the EU-U.S. Privacy Shield to transfer EEA and UK personal information to the U.S. but continue to apply the Privacy Shield Principles to personal data we received from the EEA and UK. Billtrust maintains its certifications to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.