Security & Compliance

Billhighway understands the importance of security and compliance in today’s business world and we are committed to protecting the information of your members.

Billhighway's Compliance Program

Our compliance program incorporates risk-based control reviews, annual internal and external audits, third-party contract and vendor management reviews and provider compliance assessments to ensure continued compliance with regulatory requirements.

Audits

  • PCI-DSS Level 1 Certification
  • SOC 1, Type 2 Certification
  • Nacha Certification

Assessments & Reviews

  • Visa, MasterCard, and AMEX Compliance Reviews
  • Visa Global Registry of Service Providers
  • Enterprise Risk Assessment
  • Risk-based Internal Control Review

Programs

  • Record Retention and Disposal Program
  • Third-Party Risk Management Program

Customers &
Third-Parties

  • Third-Party Vendor Assessment Reviews
  • Pre-Sales Engagement, Contract Review, and Post-Sales Support

Security Program

Our Security Program is designed to limit access to the entire network environment, and we utilize a variety of controls to prevent environmental misuse of information.

  • Billhighway undergoes rigorous control reviews and annual external audits to ensure the security of our platforms.
  • Protects our system accounts and network environment in a layered approach for overall security
  • Billhighway takes significant precautions to protect the customer data and privacy to which we are entrusted.
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
  • Suite of monitoring and security tools to secure our environments
  • Risk Management Assessment completed annually to assess our overall company risk
  • Next generation firewalls and web application firewalls
  • Next generation anti-virus and malware/ransomware protection
  • Daily operations monitoring and alerting
  • Network segmentation
  • Multi-factor authentication (MFA)
  • Annual cyber/AML/fraud training
  • SIEM/MDR monitored 24/7 by a third-party
  • Quarterly vulnerability scanning by a third-party
  • Bi-annual penetration testing
  • Various third-party monitoring tools and dashboards
  • Security Incident Response Plan in place
  • Trusted resources for cyber intelligence and support
  • Forensics teams available as needed
  • Daily backups/cloud storage
  • Replication services in Azure
  • Cyber insurance
  • Business Continuity Program in place

Software Platform & Data Security Standards

We understand the potential impact on our clients and our organization if member data or payment information were to be compromised.

PCI Level 1 Certified

To mitigate against potential breaches, Billhighway made the decision to invest in becoming Billhighway is PCI Level 1 certified. This means that the Billhighway infrastructure, systems and processes undergo a rigorous annual series of audits by accredited third parties. In order to successfully satisfy these criteria, we are required to maintain the highest level of security standards in the payment card industry.

Annual SOC Audit

Billhighway also conducts an annual SOC audit by an independent accounting firm. The purpose of this audit is to validate the design and operating effectiveness of the controls in Billhighway’s Description of its Financial Management Platform and Accounting Solutions System.

Assessed Controls

The controls assessed in the Billhighway platform include the following processes:
• New Client Setup and Implementation
• Incoming Funds Control
• Funds Processing Controls
• Outgoing Funds Controls

Hosting Services

Billhighway leverages a hybrid cloud environment with on premise, co-located, and cloud hosted services to provide a fully redundant, fault tolerant, scalable platform.

01

In the Billhighway brick and mortar datacenter, every service at every layer leverages either active/passive failover clustering, network load balancing, or compute clustering to provide multiple layers of redundancy.

02

We invest heavily in the hardware and software required to eliminate all single points of failure. We do this with a constant awareness of compliance and security, and active monitoring on all critical systems.

Cloud Platforms

Our cloud platforms leverage the most state-of-the-art technology provided by our partners.

Billhighway utilizes Amazon Web Services (AWS) and 123.Net hosted and co-location data centers for its managed IT operations and applications hosting.

We have built our cloud solution to be secure, fault-tolerant, and scalable.

Our engineers maintain cutting edge skills and awareness of the newest features and options available.

We maintain a robust lab environment where we evaluate new technology for applicability and adoptability.

We maintain partnerships with architects and engineers that allow us to quickly adopt modern technology without unnecessary risk.

Technical Support
Operations
Disaster Recovery
  • Our engineers and architects maintain up-to-date training.
  • Our most critical systems have enterprise-level support with 24/7 four-hour response Service Level Agreements.
  • We do not engage channel partners for support unless required by the vendor.
  • We have named contacts with second level support for all of our critical hardware and software platforms.
  • The entire support team receives up-to-the notifications of health and alerts that impact the stability of the system.
  • Billhighway maintains direct support relationships with all of our hardware and software vendors.
  • Our rapid response team reacts with an all-hands-on-deck mentality when unexpected events occur.
  • Our extensive monitoring platform gives our support team up to the minute awareness of the health of our systems.
  • Our operations philosophy is fast paced, with a focus on stability and performance.
  • Every configuration change or code deployment is evaluated for security and impact based on an established process of rigorous testing and in-depth peer review.
  • Every change is created in our development environment and test deployed in staging before being approved for production.
  • Our Quality Assurance team weighs in on every major change before implementation.

All critical data is stored on highly redundant, highly performant storage systems that are monitored for stability, tuned for performance, and configured to tolerate multiple failure of individual components. All data and system files are automatically backed up on a regular basis to minimize the risk of data loss and enable the recovery of data with minimal downtime.

  • Backups of the database, network and file shares, and servers are scheduled at least daily. Differentials are backed up every 2 hours.
  • Weekly full SQL backups are conducted within SQL native, in addition to 5-minute transactional backups.
  • Backed-up data is appropriately secured and not accessible to unapproved users.
  • Data and configuration files required to provide service continuity in case of a site failure are synchronized daily to our secondary sites to minimize downtime in case of unforeseen disaster.
  • Billhighway leverages a multi-tiered backup retention methodology to account for varying levels of recoverability.
  • Secure copies of backups are maintained on critical hosts for at least 90 days, with near-line storage for up to one year.
  • Critical backups are immediately shipped to an environmentally secure offsite location to ensure against a disastrous failure of the primary data center.
  • The backup media or method used factors in the data source and age-accessibility requirements of the data.
    • Tier 1 level backups include the most recent 7 days of data on local storage, or a direct connected Storage Area Network (SAN) for instant availability.
    • Tier 2 level backups include data over 7 days.
    • Both tiers are stored on highly redundant, high-speed storage platform.

Network Security

Billhighway’s network architecture has been designed to minimize the threat of outside attacks. UTM firewalls, Demilitarized Zone (DMZ), and an Intrusion Detection/Prevention System (ID/PS) are deployed to protect the network segments where the relevant applications reside.

Firewalls & Infrastructure

Industry-standard firewalls and switching infrastructure employ a combination of security measures to restrict access, including routing, VLANs, public/private NATs, and port/protocol restrictions governing access between trusted and untrusted interfaces.

Web Application Firewalls

Web Application Firewalls (WAF) are also in place to provide a higher layer, more intelligent protection for more sophisticated attacks. The WAFs reside in the DMZ behind the corporate firewalls.

Anti-virus & Anti-malware

Antivirus and anti-malware are installed on active user workstations. Billhighway utilizes a multi-tiered diagnostic approach by deploying a Cloud-based SPAM and Ransomware / Virus protection system to keep our systems secure. Virus signature definitions are automatically updated throughout the day.

Risk Management

Billhighway also deploys a managed 24/7 SIEM / MDR, that extends our risk management profile by utilizing threat hunting, Machine Intelligence, and anomalous behaviors to identify, detect and prioritize any threat to the environment. Our SOC team is immediately alerted to any vulnerability and cyber threat and provides a clear path to response and eradication as required.

Physical Security

Billhighway’s physical locations include a corporate office (Troy, Michigan) and a third-party co-location data center service provider, 123Net (Southfield, MI). 123Net has undergone a SOC 2, Type 2 attestation and Billhighway considers the facility physically and environmentally secure. Access to the office is secured and restricted to authorized personnel.

Compliance Team

The team works to prevent, detect, and respond to business conduct that is inconsistent with the organization’s values, as well as regulatory requirements.

Our regulatory and security compliance efforts are continually reviewed and enhanced.

Using a risk-based approach, the team evaluates internal controls across the organization to ensure alignment with PCI DSS, SOC 1, Type 2 control requirements, and soon, SOC 2, Type 1 requirements.

The team monitors organizational controls for federal, state, and other country regulatory requirements.