Security is our top priority

Data security is top of mind for every business, particularly for those that handle financial information. With over 10 years of experience in financial services, VersaPay understands data protection regulations and meets the highest security standards. VersaPay’s compliance, internal practices, data centers, and security monitoring is best-in-class to ensure your customer and financial information is protected in a secure environment.

Third-party certified security partner

VersaPay is audited annually and continually abides by comprehensive security assessments and certifications by third-parties to ensure we meet the highest standards as a certified security partner.

PCI DSS Compliant

PCI DSS Level 1 Service Provider

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

The PCI DSS designates four levels of compliance based on transaction volume. VersaPay is certified as compliant under PCI DSS version 3.1 at Service Provider Level 1 (the highest volume of transactions – more than 6 million a year).

VersaPay completes an annual PCI DSS assessment using an approved Qualified Security Assessor (QSA). The auditor reviews VersaPay’s Information Security System, which includes validating the infrastructure, development, operations, management, support, and in-scope services.

Service Organization Controls


Also known as SSAE 16 / ISAE 3402 / CSAE 3416, Service Organization Controls (SOC) 1 is a series of accounting reports undertaken by a service auditor to evaluate the internal controls at a service organization when they are likely to be relevant to customers’ internal control over financial reporting. VersaPay is recognized as a SOC 1 service provider.


The SOC 2 audit is an independent review of an organization’s controls, providing a definitive security assurance to help IT teams evaluate managed service providers. SOC2 allows service organizations to quantify their adherence to the Trust Service Principles (TSP) relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.

Top-tier data centers to ensure your data is protected, 24/7, 365

VersaPay’s services are hosted in top-tier data centers that provide carrier-level support. Support spans across different areas of security to ensure all considerations for your data protection are covered. Click below to learn more:

Access Control and Physical Security

Physical security of the data center is protected with 24/7 manned security (foot patrols and perimeter inspections), video surveillance, biometric scanning for access, concrete-walled data center room, access-controlled steel-caged computing equipment and tracking of asset removal. The physical facility is protected from environmental risks and is engineered for local, seismic, storm and flood risks.

Environmental Control

Humidity and temperature control and redundant (N+1) cooling system ensure data centers are physically optimal and that your data is protected from environmental threats.


Data centers are powered by an underground utility power feed. Redundancy is in place to ensure power with redundant (N+1) CPS/ UPS systems, redundant power distribution units (PDUs), and redundant (N+1) diesel generators with on-site diesel fuel storage.


VersaPay’s data centers are network neutral connecting to all major carriers and located near major Internet hubs. Data centers have concrete vaults for fiber entry, redundant internal networks, and high bandwidth capacity, ensuring your data is always available.

Fire Detection and Suppression

Data centers are protected from the risk of fire with VESDA (Very Early Smoke Detection Apparatus). In the event of a fire, your data is protected with dual-alarmed, dual-interlock, multi-zone, pre-action dry pipe water-based, fire suppression.

Secure Transmissions
and Sessions

Using Extended Validation (EV), connection to VersaPay ARC is armed via TLS cryptographic protocols to ensure users have a secure connection from their browsers to VersaPay’s service. A unique token is created at login, allowing individual user sessions to be identified and re-verified with each transaction.

Network Protection

Firewalls and edge routers block unused protocols while internal firewalls segregate traffic between application and database tiers. The internal network is armed with intrusion detection sensors to alert, log and report security events.

Disaster Recovery

In addition to our disaster-recovery capabilities, customer data is also backed up to external storage in a separate data center. Storage media is not transported off site from this data center, reducing the risk of loss.


All customer data is stored in secure data centers and is replicated over secure links to a disaster recovery data center. This design provides the ability to rapidly restore the VersaPay ARC service in the case of a catastrophic loss.

Peace of mind with regular vulnerability testing and security monitoring

VersaPay tests all code for security vulnerabilities before release and regularly scans our network and systems for vulnerabilities. Third-party assessments conducted regularly include:

  • Application vulnerability threat assessments
  • Network vulnerability threat assessments
  • Selected penetration testing and code review
  • Security control framework reviews and testing

With 24/7 security monitoring, VersaPay identifies and manages threats with real-time notifications from various sources and alerts from internal systems.

Stringent internal policies to ensure privacy and protection for our customers

VersaPay has privacy and security-conscious policies that apply to all our employees to ensure the protection of data in our information handling practices.

Man signing a contractual agreement around data security and privacy protection.

Contractual Privacy Protection for Customers

VersaPay’s contracts include confidentiality provisions that prohibit us from disclosing customer confidential information, including customer data, except under certain narrowly defined circumstances, such as when required by law.

Employee performing background checks to ensure data security.

Background Checks, Confidentiality Agreements, and Information Security Policies

Every VersaPay employee and contractor undergoes criminal background checks, signs confidentiality agreements, and follows our information security policies.

Privacy policy page, as seen on a laptop.

Privacy Statement

For information collected on the VersaPay ARC™ cloud-based platform, VersaPay provides assurances around the types of information collected, as well as how that information may be used and shared.

VersaPay offers individuals the opportunity to manage their receipt of marketing and other non-transactional communications and notifications.