Skip to main content

How Vergo keeps your card and payment data secure

An overview of Vergo's security standards | TLS encryption, OAuth2 authentication, and continuous vulnerability monitoring.

Vergo is built on a Security by Design foundation, meaning security is embedded into every layer of the platform not bolted on after the fact. Whether you're managing corporate card transactions, AP automation, or ERP integrations, your data is protected at every step.

What card data Vergo actually receives

Vergo does not receive or store your full card number (PAN), CVV, or expiration date at any point. When a transaction occurs, Vergo receives limited transaction-level details from our card data partner (merchant name, transaction date, amount, and merchant category code (MCC)) which is what powers coding, reporting, and receipt matching. Full cardholder data is never part of that data flow.

Encryption and authentication

  • TLS 1.2 / TLS 1.3 encryption: all data transmitted between your systems and Vergo is encrypted in transit using modern TLS protocols.

  • Encryption at rest: sensitive customer data stored within Vergo is encrypted at rest, providing an additional layer of protection against unauthorized access.

  • OAuth2 authentication: API access is secured through industry-standard OAuth2, ensuring that only authorized integrations can connect to your data.

Ongoing monitoring

  • Continuous vulnerability monitoring — formal policies govern vulnerability management and system monitoring across Vergo's infrastructure.

For a deeper look at Vergo's access controls and organizational security practices, see the related articles in this collection.

Did this answer your question?