How Billtrust ensures data security with AI

Blog | March 27, 2025

Reading time: 7 min
data security with ai_masthead image

The rapid rise of tools like OpenAI’s ChatGPT has seized the financial community's focus at an unprecedented speed and magnitude, marking the beginning of a broader AI revolution. With the progression of large language models (LLMs) and foundational models, there is a notable transformation in AI capabilities spanning various domains.

Business leaders have valid reasons to anticipate the potential that AI introduces to their teams. Simultaneously, they should exercise caution regarding the potential risks it might pose to their company and strategize ways to mitigate those risks.

According to a Dell survey, IT decision makers across the US, UK, Germany and France cited data security and IP risks as the No. 1 reason they are hesitant about embracing GenAI. And in a Google survey, respondents said that data leakage and privacy were two of the top three concerns when asked, “What are you seeing as the top three risks, dangers or security issues with AI today for your company?”

But let’s first explore what AI needs before it can be effective, and that’s data.

The importance of data

Data takes center stage when we talk about anything machine learning (ML) – that includes AI. Modern statistical/ML algorithms’ performance comes from the fact they are optimally “tuned” to your data. This is what gives you highly tailored answers, so without your access to your data, there is no way to performantly answer your questions.

Loosely speaking, data is the black gold in this AI era. Data accelerates innovations, allows for smarter decisions, and fuels impactful strategy. Rapidly acquiring and positioning quality data for usage in decision-making can and often does lead to on-time strategic actions by you and your team, and importantly, competitive advantage.

The application of AI in all industries, but especially ours here in finance, demands careful consideration of data privacy and security. Consider generative AI as an example. Deploying GenAI in the financial sector exposes users to risks including loss of insight in outcome generation and potential, non-deterministic inaccuracies. Addressing these concerns requires a deep understanding of the models themselves, the AI providers, and their commitment to data security.

Key questions to ask AI vendors

To mitigate risks, businesses must ask tough questions when evaluating ML/AI vendors and their solutions. These include inquiries about data security, data usage policies, and protection against potential leaks or breaches.

Data security and sharing

  • How is data secured in transit?
  • What do you do with the user-queries sent, and the responses delivered?
  • What are the security frameworks and practices set in place?
  • How do you protect proprietary and confidential financial data? IP?
  • How do you ensure that your info will not be shared with third parties?
  • How do you ensure your enterprise’s sensitive data won’t be used to train the public AI model?

Data retention

  • What is the data retention policy? And do you have any influence over the standards and requirements therein?

Customer privacy

  • Can it be guaranteed that customers won't see business information from other customers, such as invoice data?

Risk mitigation

  • How is the risk reduced when customizing and training the model with data that may contain sensitive information like personally identifiable information (PII)?
  • What measures are in place to prevent data leaks from training data sets?
  • What provisions are made for disaster recovery in case of system failures or data loss?

Scalability and integration

  • How scalable is the AI solution, and how easily can it be integrated into existing systems and workflows?

Model accuracy and transparency

  • How is the accuracy of the model measured?
  • What ensures the validity of the results?
  • What explanations can be provided for observed outputs?

Compliance

  • Does the AI solution comply with relevant industry regulations and data protection laws (e.g., GDPR, CCPA, HIPAA)?

To address these questions effectively, you need a deep understanding of the provider's choices including:

  • Model architecture
  • The conditions under which the model is fitted
  • The integrity of the vendor and quality of data commitment. They should furnish:

- Detailed information about the AI models in use,

- The data privacy and security measures implemented, and

- The strategies they employ to manage and minimize risks

a list of the key questions to ask AI vendors

Billtrust's approach to data security

Our focus at Billtrust is to lay the foundation for future innovation, prioritizing data security and privacy, while advancing AR automation. We achieve this through a comprehensive strategy built upon Payment Card Industry Data Security Standard (PCI DSS) compliance, adherence to stringent internal policies, and strategic partnerships with industry-leading AI and security vendors.

PCI DSS compliance

Billtrust has a suite of products available to its customers to facilitate a payment involving Cardholder Data (CHD). Cardholder Data includes any personally identifiable information (PII) associated with payment card transactions.

To protect this data, Billtrust securely stores it in dedicated databases designed for recurring transactions. These databases comply fully with PCI DSS encryption and security standards. As a service provider, we undergo rigorous annual assessments to maintain PCI DSS compliance. Our most recent Attestation of Compliance (AOC) confirms our adherence to PCI DSS v4.0.1 across our in-scope services.

Why PCI DSS matters:

  • Fraud prevention: The standard encryption requirements (like AES-256 for stored CHD) and network segmentation protocols (using Palo Alto firewalls and AWS security groups) create layered defenses against data theft.
  • Regulatory alignment: Compliance ensures processes meet legal obligations under GDPR, CCPA, and other data protection laws through documented controls like access management and audit trails.
  • Business continuity: Regular vulnerability scans (quarterly internal/external) and incident response planning minimize downtime from security incidents.

How do we protect sensitive information and data in our AI initiatives?

Protecting sensitive information is a top priority in our AI initiatives. From leveraging enterprise-grade AI models to implementing robust encryption methods and secure data handling practices, Billtrust ensures compliance and safeguards client data every step of the way.

Here’s an overview of the key measures we take to maintain data security and privacy:

  • Foundation models: We utilize enterprise-grade AI models like OpenAI Enterprise and Azure OpenAI, ensuring compliance with our data usage policies. Critically, Personally Identifiable Information (PII) and credit card data are never shared within these models. These models and services offer features such as data encryption at rest and in transit, strict access controls via SAML SSO and guarantee that sensitive data is not used for training the models.
  • Training data: OpenAI Enterprise for instance, does not not train on your data from ChatGPT Enterprise or their API platform, and allows you to retain ownership of your inputs and outputs (where allowed by law), as well as control how long your data in ChatGPT Enterprise is retained.
  • Data encryption: These models employ strong encryption methods. They encrypt all data at rest (AES-256) and in transit (TLS 1.2+), and use strict access controls to limit who can access data and provide authentication through SAML SSO. With Azure OpenAI, customers get the security capabilities of Microsoft Azure while running the same models as OpenAI.
  • Vector databases: To access text data in a way that is compatible with LLMs, we make use of vector databases for a process called retrieval augmented generation (RAG). Retrieval-augmented generation is a technique that supplements user-queries with related contextual information that likely will improve the quality of results far beyond what a LLM will do on its own. Our current (and all future choices of) vector databases offer built-in data security features and access control mechanisms to protect sensitive information.

What's happening with shared data in GenAI chats?

Generative AI chats can’t do without sharing data and information, but when Billtrust uses these LLMs, we make a commitment to keeping data private. For data analysis purposes, only the structure of data tables, schemas, and data definitions are transmitted. Billtrust adheres to stringent policies that expressly prohibit the utilization of shared data for external training or any purposes outside the scope of our products and services.

Where is your AR data stored?

Beyond just accessing and sharing data, an equally crucial aspect is data storage. At Billtrust, we store data in cutting-edge cloud solutions like Snowflake and MongoDB, both equipped with robust built-in security and governance features.

How Billtrust's AI solutions secure data

Billtrust has an AI strategy that is designed to address the specific needs of different users, including AI specialists, supervisors, and decision-makers, with curated analytics ranging from analytical and benchmarking metrics to prescriptive analytics and dynamic workflows.

One example is our Days to Pay Index, a proprietary key performance indicator in Billtrust’s Invoicing Analytics Dashboard. The Days-to-Pay Index leverages a Billtrust algorithm to calculate our client’s efficiency in collecting payments when compared to similar businesses within the Billtrust directory. This index offers unique benchmarking intelligence.

To address data security and privacy issues, we ensure the aggregate data is completely anonymized while providing valuable insight into peer performance.

how billtrust's ai solutions secure data_days to pay index

A safe haven for your data

As businesses navigate the AI revolution, ensuring data security is paramount. Users should be critical and ask some tough questions when committing to an AI solution in the order-to-cash cycle. Try to get an understanding of how your data is used, who has access to it, and the level of human intervention in generating results.

Billtrust is committed to leveraging enterprise-level GenAI and implementing robust data security measures that safeguard sensitive financial data, while allowing you to take advantage of all the good things AI has to offer.

Learn more about how Billtrust can transform your order-to-cash processes with AI.

FAQ

GPT stands for Generative Pre-Trained Transformer. It is a type of Neural Network architecture made famous by OpenAI with their introduction of their ChatGPT series of LLMs.

Generative AI, aka GenAI, is a subset of AI–machine learning (AI/ML) technologies, distinguished by their ability to create new content.The most prominent GenAI technologies today are large language models (LLMs), the most cutting-edge of which includes the GPT neural network architecture–these are trained on massive amounts of data.

A public LLM is simply a large language model made available to the public via an API. Some of them can be run locally via downloading from a platform like HuggingFace, whereas others offer no privacy or security guarantees such as the OpenAI models available publicly over the open internet.

Encryption converts data into a format that is largely indecipherable unless you have been permitted access. Even if a breach were to occur, encrypted data must be decrypted to be readable– this requires a decryption key which is secret.

PCI DSS (Payment Card Industry Data Security Standard) compliance is a mandatory security framework for organizations handling credit card transactions, designed to protect sensitive payment data and reduce fraud risk.