Skip to content

Security and Compliance Certifications

Learn how we keep your data safe and secure.

As a cloud service provider for its products and services, Billtrust stores and manages our client data in compliance with applicable laws and regulations to help you meet your obligations. Our enterprise cloud services are independently validated through third-party audits, continual self-assessment and legal oversight.

SSAE 18 SOC 1 and SOC 2

Since Billtrust is a cloud service providers (CSP) that clients utilize to outsource its products and services, we conduct an at least annually a SSAE 18 SOC 1 Type 2 and SOC 2 Type 2 audit.  Our audits are performed by an accredited, independent third party.

A SOC 1 audit, intended for CPA firms that audit financial statements, evaluates the effectiveness of a CSP’s internal controls that affect the financial reports of a customer using the provider’s cloud services. The Statement on Standards for Attestation Engagements (SSAE 18) is the standard under which the audit is performed, and is the basis of the SOC 1 report.

A SOC 2 audit gauges the effectiveness of a CSP’s system, based on the AICPA Trust Service  Criteria. An Attestation Engagement under Attestation Standards (AT) Section 101 is the basis of SOC 2 report.  Billtrust currently includes Security, Confidentiality and Availability in the SOC 2 audit. 

PCI Compliance

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Organizations of all sizes must follow PCI DSS standards if they accept payment cards from the five major credit card brands—Visa, MasterCard, American Express, Discover, and the Japan Credit Bureau (JCB). Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data.

Billtrust completes an annual PCI DSS assessment using an approved Qualified Security Assessor (QSA). The assessment culminates with an Attestation of Compliance (AoC) and Report on Compliance (RoC) issued by the QSA. The effective period for compliance is prospective and begins upon passing the audit and receiving the AoC from the assessor, and ends one year from the date the AoC is signed. Billtrust is certified as compliant under PCI DSS version 3.2.1 at Service Provider Level 1.

Clients who utilize Billtrust’s PCI complaint products and services significantly reduce the scope, cost and effort of their own PCI compliance assessments.

Billtrust is listed as a compliant service provider on VISA approved service provider lists under the name of Factor Systems, Inc.

HIPAA Privacy

The Health Insurance Portability and Accountability Act (HIPAA) is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities—doctors’ offices, hospitals, health insurers, and other healthcare companies—with access to patients’ protected health information (PHI), as well as to business associates, such as cloud service and IT providers, that process PHI on their behalf. (Most covered entities do not carry out functions such as claims or data processing on their own; they rely on business associates to do so.)

Billtrust is a business associate for our clients, who are the covered entities.

HIPAA regulations require that covered entities and their business associates—in this case, Billtrust when it provides services to covered entities—enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or BAAs, clarify and limit how the business associate can handle PHI, and set forth each party’s adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act. Currently there is no official certification for HIPAA or HITECH Act compliance, however; Billtrust undergoes an annual risk assessment.

NACHA Compliance

NACHA is the trustee of the ACH Network, managing the development, administration and rules for the payment network that universally connects financial institutions in the U.S. The Network, which moves money and information directly from one bank account to another, supports more than 90 percent of the total value of all electronic payments in the U.S. NACHA facilitates the expansion and diversification of electronic payments, supporting Direct Deposit and Direct Payment via ACH transactions, including ACH credit and debit payments; recurring and one-time payments; government, consumer and business transactions; international payments; and payments plus payment-related information. The NACHA Operating Rules & Guidelines is an annual publication produced by NACHA — The Electronic Payments Association.

Billtrust processes ACH payments on behalf of our clients both as a Third Party Service Provider as well as a Third Party Sender Billtrust performs an annual, independent, external audit of our ACH Operations as required by the ACH Operating Rules

Pandemic Readiness, Business Continuity and Disaster Recovery

Billtrust performs an annual Business Continuity and Disaster Recovery risk assessment. Our plans are based on NFPA1600 Standard for Disaster/Emergency Management and Business Continuity/Continuity of Operations (2019 edition).

Billtrust has also  maintains a pandemic plan which is tested annually. A pandemic is a global disease outbreak. The U.S. Department of Labor advises that a pandemic could affect as much as 40% of the workforce during peak influenza illness. Employees could be absent because (1) they are sick or (2) must care for sick family members or (3) must care for children if schools or day care centers are closed or (4) are afraid to come to work.

In preparation for the pandemic plan test, Billtrust conducts Business Impact Analysis (BIA) on critical business functions that directly relate to the development, delivery and support for the services provided by Billtrust to their clients. For the simulated home quarantine, at least 40% of Billtrust employees are requested to work from home on a specific date to ensure that all critical systems and services can continue to function normally. Work stoppage occurs at 2 print operations facilities to ensure that the remaining facilities can pick up the slack and function with normal production.

The results of the audit are a Pandemic Plan Test Report which can be distributed to external parties and a Pandemic Plan which is used internally in the case of a pandemic.

Anti-Money Laundering

The purpose of our Anti- Money Laundering (AML) compliance plan is to establish the general framework for the fight against money laundering, terrorism, corruption and other financial crimes; to prevent money laundering and terrorist financing and to train specific personnel on legal and internal procedures. AML may also be called Know Your Customer (KYC), Customer Due Diligence (CDD) or Customer Identification Program (CIP).

As both a Payment Facilitator and a third party payment processor, Billtrust maintains a formal AML program designed to exceed industry standards. 

GDPR: General Data Protection Regulation

GDPR is the European Union’s (EU) comprehensive privacy law that aims to protect the personal data—and rights related to that data—of persons residing within the EU. Billtrust supports our international clients who are required to comply with this regulation that went into effect on May 25, 2018. Billtrust has partnered with specialized international data protection attorneys to proactively offer the required data protection agreement (DPA) to our international clients to expedite their compliance.

Privacy Shield Certified

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

Billtrust maintains certifications for both frameworks