Advanced security for your financial operations

Reduce risk, combat fraud, and keep your data secure with BILL.
Get Started
Header image
Dashboard mockup

Designed with your privacy and security in mind

Multi-layered security

Multiple layers of powerful technology are integrated into the platform to combat payment fraud, network security breaches, and unauthorized account access, so we can protect sensitive customer data.

AICPA SOC 2 compliance

BILL adheres to the SOC 1 and SOC 2 compliance standards of the American Institute of CPAs (AICPA), undergoing an annual SOC 1 and SOC 2 Type II Audit for BILL Accounts Payable, BILL Accounts Receivable, and BILL Spend & Expense.

Get Started

Protections for BILL Accounts Payable and BILL Accounts Receivable 

Reduce your payment risk

Pay and get paid through our digital network

Keep bank account information private by making digital payments through a secure network of 4.7 million on BILL.

Enjoy enhanced security for check payments

BILL sends checks through a clearing account, so your own account remains hidden, and applies the kind of advanced payment protections that most banks charge for, like Positive Pay.

No third-party issuers

Unlike other AP platforms that use third-party services to issue payments, BILL Accounts Payable and Accounts Receivable keeps your payment processing in-house. That lets you mask your banking information while giving you more control over your payments and better visibility into their status.

HIPAA compliance

For healthcare organizations that need to maintain compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), BILL Accounts Payable and BILL Accounts Receivable provide safeguards for electronic protected health information (ePHI).

Secure data centers

Secure data center facilities with full redundancy in more than one physical location provide back-up protection against malicious attacks.

Advanced protection against data breaches

BILL Accounts Payable and BILL Accounts Receivable ensures customer data is protected at rest with encryption, while Transport Layer Security (TLS) provides bank-level protection during transfer.

Get Started
Dashboard mockup

 How we keep BILL Spend & Expense secure

Dashboard mockup

Designed with your privacy and security in mind

Multi-factor authentication

For company administrators with access to sensitive company information and controls, we require multi-factor authentication (MFA).

PCI compliance

BILL Spend & Expense is PCI compliant. That means we meet the Payment Card Industry Data Security Standard (PCI DSS) for organizations that handle branded credit cards.

Face and touch logins

The BILL Spend & Expense mobile app uses the latest security features, including Android fingerprint scanning and Apple Touch or Face ID.

Fraud protection

BILL Spend & Expense uses an advanced third-party platform that monitors all transactions in real-time and prevents complex fraud incidents with speed and accuracy to protect your business.

Secure data centers

BILL's production environment is located in Amazon Web Services (AWS) across 3 physically separate availability zones in the US-West-2 region, protecting services from loss of connectivity, power issues or other location specific outages.

Full data backups are being saved continuously to the US-East-2 environment.

Get Started

Need more details?

Download security spec sheet
“We pay over 1,000 contractors from a single platform—on time, every month—keeping our banking information encrypted while syncing those payments with our accounting software, QuickBooks Online. We couldn't do that without BILL.”
— Elizabeth Reid, Corporate Compliance Accountant, BELAY
Dashboard mockup

Frequently asked questions

How does BILL protect against unauthorized access to my account?
BILL Accounts Payable and BILL Accounts Receivable helps protect against unauthorized access to your account by:

Enforcing a strong password policy.

Applying 2-Factor Authentication.

Sending login data over a secure channel.

Automatically logging out customers after a period of inactivity.

Educating our customers on the risks of business email compromise schemes.

Enforcing separation of duties with role-based access that lets you control who can enter, approve, and pay bills.

Automatically keeping a record of all AP activity with a timestamped audit trail that cannot be altered, including original bills, review notes, approvals, payments, and remittance details for each transaction. You can easily access that documentation for internal, vendor, and auditor inquiries.

How does BILL Spend & Expense help protect against unauthorized access to your account?

Enforcing a strong password policy.

Applying 2-Factor Authentication.

Sending login data over a secure channel.

Automatically logging out customers after a period of inactivity.

What physical protections are in place through BILL?

BILL Accounts Payable and BILL Accounts Receivable servers and network infrastructure are hosted at secure data center facilities managed by leading certified data center providers.

BILL Spend & Expense is hosted in Amazon Web Services (AWS) and is therefore protected by the same high level of logical and physical security controls that AWS has for all clients.

All our employees undergo background checks and data security and privacy training.

We have a formal vendor management program to manage third-party risks.

What compliance protections are in place through BILL?

BILL undergoes an annual SOC 1 and SOC 2 Type II Audit by a leading national CPA Firm.

BILL Spend and Expense maintains PCI level 1 compliance by undergoing an annual audit by an independent Qualified Security Assessor (QSA).

BILL Accounts Payable and BILL Accounts Receivable achieved PCI Level 1 Compliance for virtual card and Pay by Card offerings.

We have adopted an Anti-Money Laundering (AML)/Office of Foreign Assets Control (OFAC) Program, which is designed to help prevent the BILL Service from being used for purposes of money laundering, terrorist financing, violating or subverting OFAC sanctions, or for other illegal purposes.

What payment protections are in place through BILL Accounts Payable and BILL Accounts Receivable?

Reduce risks from check theft by paying vendors with digital payments or checks that are sent by BILL on your behalf, rather than keeping blank check stock on your premises and exposing your bank information on checks you send.

BILL applies Positive Pay to reduce the risk of check fraud; the bank matches the check issued with the check presented for payment.

Keep your bank account information private from vendors by making digital payments through the BILL account.

What network protections are in place through BILL?

BILL uses security software, intrusion detection and prevention appliances, and network monitoring technology to detect and prevent unauthorized electronic access to our servers.

What data protections are in place through BILL? 

BILL applies an additional level of encryption to protect access to sensitive customer data from malicious applications.

We use Transport Layer Security (TLS) and industry-standard cipher suites to protect customer data during transit over the internet.

BILL Accounts Payable and BILL Accounts Receivable replicates production data from the primary site to the co-location facility for disaster recovery scenarios.

What are some best practices for administrators and employees to secure transactions?

Do not share passwords, PIN, security tokens or any other account credentials. That includes reusing the same credentials elsewhere or sharing them with another person. Keep them secure.

Always use strong and unique passwords that are not easily guessable. An 8 characters or longer, random password that contains a combination of upper and lower case letters, numbers and symbols is much harder to break.

Review account transactions daily and reconcile frequently.

Avoid using public computers to access your account—even if additional security measures have been taken.

Practice security principles of least privilege and separation of duties. BILL provides granular, role based access control capabilities in the product. Use them to carefully grant and monitor access. Grant minimal access needed for employees to do the assigned job duties. Promptly remove the access when no longer needed. Assign different roles to different employees so that a single person alone can not compromise the transaction workflow.

Building a security culture where everyone understands their part in keeping an organization secure goes a long way. Train everyone in the company on best practices in information security, not just financial personnel. Identify regular opportunities to routinely discuss security best practices, such as staff meetings or other group check-ins.

Set up Multi-Factor Authentication to help further protect your account from unauthorized log-ins.

What are the best practices for administrators?

Install reputable anti-virus and anti-malware software and update it frequently. Most modern software updates automatically.

Keep operating systems, browser, and email patches up to date.

Keep your web browser software up to date by regularly installing the most recent version.

Use reputable network and desktop firewall solutions.

Require and monitor that users sign off their computer or employ a lock screen when not in use.

Consider disabling CD, DVD and USB drives on all computers where these drives are not needed.

What are the best practices for accountants and employees?

Do not click on links or attachments in an email that seem suspicious, and do not reply to it. Forward all suspicious emails directly to your IT and/or Risk team.

Be suspicious of requests for secrecy or pressure to take action quickly.

Watch for bogus email messages disguised to appear as authentic. Fraudsters commonly spoof legitimate email domains with ones that look similar (e.g., name@busines.com or name@business.net instead of name@business.com).

Hover over an email address to ensure it isn’t being masked as something it’s not.

What credit card protections are in place through BILL Spend & Expense?

BILL Spend & Expense uses an advanced third-party platform that monitors all transactions in real-time and prevents complex fraud incidents with speed and accuracy to protect your business.

BILL Spend & Expense offers access to virtual cards with a unique card for every vendor, keeping your real card number hidden and better protecting your business from over-charges and fraud.

Responsible Disclosure Program

We take security seriously at BILL and are deeply appreciative of the role that security researchers play in improving the security posture of our product and platform.

We partner with HackerOne to facilitate responsible disclosure of any security issues impacting BILL services. If you believe you have discovered a security vulnerability that you would like to report, please submit using this form.

Report suspicious activity

Notice something fishy with your BILL account, or believe your information has been compromised?

Let us know >

Report phishing scams

Receive a suspicious email from someone claiming to represent BILL?

Don't reply to it

Don't click on any links

Don't open any attachments

Forward the email immediately to: phishreport@hq.bill.com
Dashboard mockup
hands holding a cell phone

See where financial automation can take your business

Join the millions who pay or get paid with BILL.

Get Started