Trust & Compliance

Your payments, protected at every layer.

Bill Sumo is PCI DSS Level 1 certified with 256-bit AES encryption, SOC 2 Type II controls, and full AML/KYC compliance. We build security into every line of code and every partner contract.

PCI DSS Level 1
Certified
256-bit AES
Encryption
SOC 2 Type II
Audited
GDPR
Compliant
PSD2
Compliant
AML/KYC
Screened

Security by design

Six pillars that protect your funds, your data, and your reputation β€” from infrastructure to human process.

Data Encryption at Rest & in Transit

All payment data is encrypted with AES-256 at rest and TLS 1.3 in transit. Private keys are stored in HSM-backed vaults with zero-knowledge access policies.

Hardened Cloud Infrastructure

Multi-region AWS deployments with WAF, DDoS mitigation, and private VPC networking. 99.99% historical uptime with active-active failover.

Continuous Threat Monitoring

24/7 SOC with real-time intrusion detection, automated anomaly alerting, and quarterly third-party penetration testing by certified ethical hackers.

Identity & Access Management

Mandatory 2FA, role-based access control (RBAC), device binding, and session anomaly detection. SSO via SAML 2.0 / OIDC for enterprise plans.

Audit & Compliance Trail

Immutable logs of every transfer, login, and configuration change. Export-ready for auditors and regulators. Retained for 7+ years per jurisdiction.

Fraud Prevention Engine

Real-time velocity checks, sanctions-list screening, device fingerprinting, and ML-based risk scoring. Suspicious transfers blocked before submission.

Compliance certifications

We maintain the highest standards across every jurisdiction we operate in. Our certifications are independently audited and renewed annually.

Get started β€” it's free
  • PCI DSS Level 1 Service Provider β€” annual QSA audit
  • SOC 2 Type II β€” security, availability & confidentiality
  • ISO 27001:2022 certified information security management
  • GDPR Article 28 & 32 β€” processor obligations and security measures
  • PSD2 / EBA RTS β€” strong customer authentication (SCA) on card rails
  • HKMA & MAS guidance alignment for Hong Kong and Singapore operations
  • APCA BECS compliance for Australian domestic payments
  • Full AML/CFT programme β€” ongoing customer due diligence
PCI DSS

PCI DSS Level 1 Service Provider

Bill Sumo is certified as a PCI DSS Level 1 Service Provider β€” the most stringent tier in the payment card industry. This means our cardholder data environment (CDE) has passed an annual onsite audit by a Qualified Security Assessor (QSA), covering all 12 PCI DSS requirements:

  • Secure network architecture with segmented CDE
  • Strong access control and least-privilege policies
  • Encrypted cardholder data with tokenization
  • Quarterly ASV vulnerability scans
  • 24/7 network monitoring and incident response
  • Annual penetration testing by certified testers
Level 1
Service Provider
Annual QSA auditPassed
Network scansQuarterly
Penetration testsAnnual
Compliance expiryRolling annual
AOC availableOn request

Security FAQ

Common questions about how we protect your business.

Security that moves as fast as your business.

Open a free account in two minutes. Enterprise security from day one β€” no minimum volume required.

Get started β€” it's freeContact security team