Security & Compliance
Billhighway understands the importance of security and compliance in today’s business world.
Our security program protects our system accounts and network environment in a layered approach for overall security. Billhighway takes significant precautions to protect the customer data and privacy to which we are entrusted.
- PCI-DSS Level 1 Certification
- SOC 1, Type 2 Certification
- Nacha Certification
Assessments & Reviews
- Visa, MasterCard, and AMEX Compliance Reviews
- Visa Global Registry of Service Providers
- Enterprise Risk Assessment
- Risk-based Internal Control Review
- Record Retention and Disposal Program
- Third-Party Risk Management Program
Customers & Third-Parties
- Third-Party Vendor Assessment Reviews
- Pre-Sales Engagement, Contract Review, and Post-Sales Support
Software platform & data security standards
We understand the potential impact on our clients and our organization if member data or payment information were to be compromised.
- Our engineers and architects maintain up-to-date training.
- Our most critical systems have enterprise-level support with 24/7 four-hour response Service Level Agreements.
- We do not engage channel partners for support unless required by the vendor.
- We have named contacts with second level support for all of our critical hardware and software platforms.
- The entire support team receives up-to-the notifications of health and alerts that impact the stability of the system.
- Billhighway maintains direct support relationships with all of our hardware and software vendors.
- Our rapid response team reacts with an all-hands-on-deck mentality when unexpected events occur.
- Our extensive monitoring platform gives our support team up to the minute awareness of the health of our systems.
- Our operations philosophy is fast paced, with a focus on stability and performance.
- Every configuration change or code deployment is evaluated for security and impact based on an established process of rigorous testing and in-depth peer review.
- Every change is created in our development environment and test deployed in staging before being approved for production.
- Our Quality Assurance team weighs in on every major change before implementation.
All critical data is stored on highly redundant, highly performant storage systems that are monitored for stability, tuned for performance, and configured to tolerate multiple failure of individual components. All data and system files are automatically backed up on a regular basis to minimize the risk of data loss and enable the recovery of data with minimal downtime.
- Backups of the database, network and file shares, and servers are scheduled at least daily. Differentials are backed up every 2 hours.
- Weekly full SQL backups are conducted within SQL native, in addition to 5-minute transactional backups.
- Backed-up data is appropriately secured and not accessible to unapproved users.
- Data and configuration files required to provide service continuity in case of a site failure are synchronized daily to our secondary sites to minimize downtime in case of unforeseen disaster.
- Billhighway leverages a multi-tiered backup retention methodology to account for varying levels of recoverability.
- Secure copies of backups are maintained on critical hosts for at least 90 days, with near-line storage for up to one year.
- Critical backups are immediately shipped to an environmentally secure offsite location to ensure against a disastrous failure of the primary data center.
- The backup media or method used factors in the data source and age-accessibility requirements of the data.
- Tier 1 level backups include the most recent 7 days of data on local storage, or a direct connected Storage Area Network (SAN) for instant availability.
- Tier 2 level backups include data over 7 days.
- Both tiers are stored on highly redundant, high-speed storage platform.
Billhighway’s network architecture has been designed to minimize the threat of outside attacks. UTM firewalls, Demilitarized Zone (DMZ), and an Intrusion Detection/Prevention System (ID/PS) are deployed to protect the network segments where the relevant applications reside.