Concur Trust Platform

PCI Image
BSI Image


The Concur® Trust Platform is founded on two key elements necessary in any business, industry best practices in Security and Service Management. We understand that the confidentiality, integrity, and availability of our customers’ information are vital to their business operations and our own success. Concur’s Trust Platform relies on a unique combination of trained personnel, mature business processes, and regular third party audits against a variety of international and U.S. standards to deliver a level of security and confidence unmatched in the industry.


For most companies, employee spend management business functions like travel procurement, expense reporting and invoice processing are financially relevant, meaning that Concur’s solutions become an extension of our customers’ financial operations. In order to become, and remain the employee spend management partner of choice, Concur’s solutions are audited regularly for compliance with the following global standards for Security and Service Management:

  • ISO 27001. The Global standard for IT security management practices.
    • Concur has been BS 7799 certified since 2004 and undergoes twice-annual audits.
  • ISO 20000. The world standard for IT service management practices.
    • Concur was initially certified to ISO 20000 in 2008 and undergoes twice-annual audits.
  • SOC1 Type II. Concur transitioned to the SSAE16 and ISAE3402 standard in 2010.
    • Twice-annual audits.
  • PCI DSS. Concur is a VISA Registered CISP Compliant Service Provider.
    • As a Level 1 Service Provider, Concur is audited annually by a PCI Qualified Security Assessor.
  • Sarbanes Oxley. Concur is audited once per year as part of its annual public audits.
  • FISMA (Financial Information Security Management Act). Concur policies and procedures meet security control requirements as documented within the NIST SP 800-53 Revision 4 with Concur Government Edition (CGE).
    • CGE has been accredited by a Third Party Assessment Organization (3PAO) and granted the authority to operate (ATO) from the General Services Administration (GSA).


Concur policies and practices are in compliance with the following privacy laws:

  • EU Privacy Directive 95/46/EC and assured through Safe Harbor certification
  • UK Data Protection Act of 1998
  • Canada PIPEDA (Personal Information Protection and Electronic Documents Act)
  • U.S. state PII privacy, security, information protection

Concur collects only the minimum necessary PII (personally identifiable information) and uses it only for agreed upon purposes. Concur has enacted the following safeguards related to PII:

  • Encrypted when transmitted over public networks
  • Encrypted when stored in databases and flat files
  • Encryption of e-mail messages sent from Concur Premier to customers
  • Accessible only by vetted, authorized personnel
  • Storage of PII prohibited on Concur workstations, mobile devices, and portable storage devices

Data Protection

Data at Rest

  • PII data - Encrypted in the database, flat files, and when sent in email messages - AES 128 or Blowfish-256
  • Credit card information/number - Unique encryption key that is never stored - Split keys - Encrypted using AES 128
  • Passwords - One-way hashed and salted (SHA 256)
  • Back-up media - Encrypted (AES 256)

Data in Motion

  • User Sessions - SSL 128 bit or 256 bit
  • Batch data feeds - FTP/FTPS/SFTP - PGP-2048 encryption regardless of transport
  • On-demand data feeds - SSL 128 or higher

Data Centers

Concurs solutions are based on a high availability architecture with no single point of failure and collocated in a number of Tier 4 data center facilities in Europe and USA. These facilities provide carrier-level support including:

Access Control & Physical

  • 24x7x365 manned security
  • Biometric hand geometry readers
  • Kinetic and key locks on closed cabinets
  • Windowless exteriors
  • Bullet Resistant Protection
  • CCTV integrated with access control and alarm system
  • Motion detection for lighting
  • Dedicated concrete-walled Data Center rooms
  • Computing equipment in access-controlled steel cages


  • Robust HVAC system to provide stable airflow, temperature and humidity, with minimum N+1 redundancy for all major equipment.
  • N+2 redundancy for chillers and Thermal Energy Storage, providing enhanced temperature stability.

Flood & Earthquake

  • Moisture barriers on exterior walls
  • Dedicated pump rooms
  • Drainage/evacuation systems
  • Moisture detection sensors
  • Seismic Controls
  • Anchored & braced cabinets

Fire Detection and Suppression

  • Multi-zoned, dry-pipe, double-interlock, pre-action fire suppression system3
  • Very Early Smoke Detection and Alarm (VESDA)


  • Underground utility power feed
  • Redundant (N+1) CPS/UPS systems
  • Redundant power distribution units (PDUs)
  • Redundant (N+1) diesel generators with on-site diesel fuel storage

Application Security

Role based security

  • User roles can be defined both at the group and user level
  • User and group access can be defined down to the form and field level

Parameter Validation and Input Protection

  • Secured URL
  • Robust input field validation, filtering, and defensive techniques

OWASP based secure application development

Mobile Security

Concur for Mobile is a proprietary application installed in a mobile device (not accessed via the mobile’s web browser) so most security available to Concur’s web apps are also in place for mobile plus device’s local security features.

Data Display

  • PII data is not displayed on mobile device
  • Only credit card information displayed is credit card name and last 4 digits of credit card number

Data Storage

  • All information stored on device can be encrypted with AES 256-bit encryption Local storage device is encrypted
  • Only information stored on device is from last user that logged in via the mobile device
  • Expense and itinerary data are cached for offline viewing
  • Information is cached while user is logged in and cleared upon log off
  • Static data is cached for increased performance during look-up searches
  • No credit card, company/corporate information, or user data are stored on the device

Data Transmission

  • Data transmitted is encrypted with SSL 128-bit or higher


  • All mobile platforms require authentication to Concur before accessing any data
  • Concur Mobile does not store the password: when a user selects the auto-login feature, the system generates a unique OAuth token that is stored on the device

Device Security Features

  • Remote wipe capability Device passwords
  • Enables the use of hardware-based encryption Content protection (provided by BB…needs to be enabled)
  • User-level and file system-level permissions (for Android devices, Concur has implemented a model to encrypt sensitive data on the device to increase security)

Network Based Security

Concur’s network architecture ensures that sensitive client data is protected through best business practice security policies and procedures. Network security encompasses needs-based access, proper network segmentation, and Security and Risk Management oversight.

  • Secure Internal Administration Network. Concur employs a complete internal infrastructure to backup and monitor servers through secure connections. All web servers contain at least two Network Interface Cards (NICs). One NIC is connected to the production environment, and the other is connected to the Concur Operations internal private network. The IP addresses of these servers are protected from third parties through Concur’s non-routable network.
  • Hardened Router Configurations. Router configurations are used to correctly route packets to their proper destinations, and to restrict traffic. Access Control Lists (ACLs) on the front-end routers are used to stop common attacks that could affect the environment, including IP spoofing and limited denial-of-service attacks.
  • Network Segmentation. Concur’s multi-segmented network architecture prevents direct public contact or connection to Concur’s private network segment. This ensures client information is not accessible directly from the Internet. Concur utilizes intrusion detection systems that monitor all TCP/IP incoming and outgoing traffic between network segments.
  • Front-end Load Balancers. Access to Concur services is managed with redundant load balancers. The load balancers provide a variety of functions including SSL session termination, load balancing, network address translation (NAT), and port address translation (PAT).
  • Distributed Denial of Service (DDoS) protection. All Concur service locations are protected by a service that protects the availability of Concur services even when under a distributed denial of service (DDoS) attack.
  • Activity Log Aggregation. Log activities from network devices and systems are aggregated through an activity log collection system. Alarms are generated for those events that warrant immediate attention.
  • Proactive Monitoring. Security and Risk Management continuously monitors industry communities for news of security alerts, as well as vendor and partner security changes that may affect Information Services and Concur’s product line. Information Services has 24/7 automated monitoring with backup personnel. Intrusion Detection Systems. Intrusion Detection System (IDS) technology is an integral component of Concur’s comprehensive enterprise security strategy. The IDS alerts Concur of suspicious IP traffic or log activity that occurs on Concur’s systems and networks. Where possible, isolated IDS servers bear the security audit load, reducing overall consumption of resources within the application servers to zero levels.
  • Active Vulnerability Assessment. Concur Security Engineers perform infrastructure security scans on a regular basis using an approved PCI scanning vendor from the Internet as well as from internal scanning appliances. Discovered vulnerabilities are managed through Concur’s remediation process in accordance with industry best practices.
  • Web Application Firewalls. Front-end web application firewalls protect Concur services by blocking traffic that could represent attempts to steal application data or break in to Concur web applications. These firewalls are highly distributed and monitored.
  • Multiple Firewall Layers. Concur utilizes multiple layers of firewalls that protect applications and client databases. Application firewalls permit traffic only from Concur web servers to reach Concur application servers, and database firewalls permit database queries only from Concur application servers.
  • VPN. Concur Operations personnel use a best-in-class VPN when connecting and transmitting from outside the trusted network. The VPN secure tunnel offers internal Operations personnel highly secure remote connectivity to perform after-hours maintenance or troubleshooting. Multi-factor authentication is required for all Concur personnel with access to systems containing customer data.
  • Data Protection. All networks, systems, databases, and applications that contain customer data are a Tier 4 datacenter. Access to customer data is granted on a least-privilege, need-to-know basis.
  • Digital Certificates and SSL. Concur’s services utilize web server digital certificates to verify the authenticity of all client sites. Digital certificates are used to encrypt all Internet web traffic between clients and servers. Concur services utilize secure sockets layer (SSL) technology to ensure that HTTP communication between Concur clients and Concur servers is encrypted. Please refer to the section entitled, “Concur Application Acceleration” later in this chapter for information related to SSL and application acceleration.

Host-Based Security

Information Services employs a hardened, approved, and standardized build for every type of server used within the infrastructure. This procedure disables unnecessary default user IDs, closes down unnecessary or potentially dangerous services, and removes processes that are not required. In addition, all available and approved security patches are installed. Concur utilizes dedicated engineers responsible for continually updating, optimizing, and securing the standard build procedures.

Host security highlights include:

  • Database SAN (Storage Area Network) Cluster: Concur databases are stored on a fully redundant SAN. Drives are configured with RAID for all tiers of storage and each segment of data has at a minimum two Standby Drives that will be used automatically in the event of a drive failure. Database Servers use N+1 clustering to prevent downtime in the event of a Server failure.
  • Standard server builds. Concur adheres to a least privilege methodology with server configuration standards baselined in accordance with the CIS benchmarks . Server configurations are managed through an enterprise configuration management tool that further ensures server security and integrity. Data Backup. Backup media for Concur’s online services are fully encrypted with AES-128. Media that is stored offsite is safely transported by secure courier to a hardened off-site media storage facility.
  • Alert monitoring. Security and Risk Management monitors vendor security updates, hacker sites, and security industry sites to understand where the next vulnerability and threat will surface.
  • File Integrity Monitoring: Concur’s services utilize file integrity monitoring (FIM) tools that alert operations personnel of any unauthorized or unexpected changes on any server.
  • Centralized Logging. Events from all systems are collected, aggregated, and alerted via a centralized log collection engine that is monitored by the Concur Global Operations Center.
  • Standard patch process. All patches are tested through a standard process to ensure proper functioning within the operating environment before they are applied to the servers and adhere to industry best practices and regulatory requirements.
  • Standard change control process. All changes to any part of Concur’s infrastructure must pass a strict Change Control Process to ensure best practices and minimal service interruption for our clients.
  • Security Information and Event Management. Concur receives real-time alerts for a variety of activities which may indicate malicious activity.

Vulnerability Management

Concur regularly tests application code for security vulnerabilities, and regularly scans the network and systems for vulnerabilities. Third-party assessments are also conducted regularly:

  • Application vulnerability threat assessments
  • Network vulnerability threat assessments
  • Selected penetration testing and code review
  • Security control framework review and testing

Security Monitoring

Concur utilizes enterprise-class systems and tools to continuously monitor all aspects and layers of the Concur solutions infrastructure. From intrusion detection systems to resource consumption, Concur’s solutions environment is fully monitored by world-class monitoring systems and trained operations center personnel.

Concur Personnel

  • Various verifications and checks are done on all candidates before hiring. This would include employment and credit checks, criminal record verification, and other background checks (content depends on local laws).
  • Concur personnel are provided training regularly on security policies and procedures. Inclusive of company policies and procedures, corporate ethics and business standards, and secure development training — based on OWASP.
  • To ensure personnel’s knowledge is current (company security policies and procedures), regular updates are released and periodic performance appraisals are performed.

Disaster Recovery

Concur has been built in a high availability architecture to ensure that in the event of a failure, service performance continues to meet client expectations. This means every tier of the architecture has either multiple servers in a cluster or multiple network or SAN paths so that there is no single point of failure, all key components are implemented in parallel.

Concur’s services are located at Tier 4 co-location facilities. These were selected as they have been built in a “fortress” approach so that core services, telecomm and power, are diversely supplied into the building; physical access is managed through state of the art technology and they are third party audited annually. Concur is also compliant and registered to ISO 27001, which requires that the production, maintenance and testing of a Disaster Recovery Plan (DRP). The current DRP is a formal recovery procedure for recovering the entire application in the alternate data center.

In addition real-time inter-site data replication is performed between the production data center and the disaster recovery center:


Primary site

Disaster recovery site

US production

Lynnwood, WA

Dallas, TX

EMEA production

Paris, France

Amsterdam, Netherlands

Service Recovery Capabilities

Concur uses an enterprise storage solution with inter-site replication in Concur’s tier 4 facilities in Europe and US. In conjunction with the deployment, and based on the physical architecture, Concur has DR procedures covering each of the services Concur provides its clients with total loss of data center being the worst case scenario. Concur has tested Disaster Recovery Plans covering all of the services necessary to ensure service continuity.

Recovery Objective


Recovery Point Objective

4 hours

Recovery Time Objective

2 business days


Concur maintains a backup policy, process and audit schedule for client information and critical infrastructure within Hosting Service data centers. The backup process is initiated, maintained and verified by the Storage Services group within Concur’s Hosting Operations department. This group retains required experience in the chosen backup solution.

Backup media is stored within three tiers including near-line storage, local tape storage and offsite tape storage.

Concur’s onsite storage serves all critical infrastructure and application servers and devices. On-site storage allows for faster restoration and heuristic analyses of past system backups.

Data Archival

Concur retains key elements associated with selected products to include travel and expense data indefinitely for our active customers. This includes expense reports, expense report receipts, invoice details, invoice images and travel itineraries.

Ancillary data such as extracts are retained for only one year. Customer organizations that wish to retain extract data for longer periods of time need to archive their copies of extracts.

Upon termination of a customer relationship, Concur will destroy all customer data. Concur will also return data to the former customer in accordance with the terms of the Business Services Agreement between the parties.

Concur Single-Sign On

Concur offers HMAC-based and SAML-based Single-Sign On. Single Sign-On enables client organizations to have a higher degree of control over user-id management and authentication policy than would otherwise be available.

  • SAML for Identity Management Systems
  • HMAC for Active Directory and LDAP

Concur Connect

Concur customers can build real-time connectors to Concur Travel and Expense services to more tightly integrate Concur systems into their own. Connections are established using SSL/TLS and Oauth authentication.

Concur FTP Site

Concur customers utilize FTP for the transferal and retrieval of client information. The FTP sessions require client-specific accounts and complex, often-changed passwords. Each file is PGP encrypted with client-specific keys, and each file set resides in client-specific directories. FTP directories are chrooted, and have extremely limited function calls. Supported transfer protocols include FTP, SFTP, and FTPS.

Internal & External Audits

Concur provides Software as a Service for over 25,000 customers, and in order to assure our customers that their data confidentiality, integrity and availability is maintained, Concur conducts multiple internal audits as well as third party audits on a scheduled basis. The written results of many of these audits are available upon request. Concur also undergoes periodic external scans, some of which are available upon request.




SSAE16 & ISAE 3402(formerly SAS70 Type II)

Twice per year


ISO 27001

Twice per year


ISO 20000

Twice per year



Once per year


Application VulnerabilityAssessment

Once per year


Network Vulnerability Assessment

Once per year



Once per year


ISO 27001



ISO 20000






Application vulnerability scanning



Network penetration testing



External PCI scanning



Corporate risk assessment



Last Update: 06/2016

About Concur

Concur Blog


Concur is a leading provider of integrated travel and expense management solutions. More

  • 601 108th Ave NE, Suite 1000
  • Bellevue, WA 98004 USA
  • Phone: 800 401 8412
  • Fax: 425 590 5999

2016 © All Rights Reserved.

Privacy Policy


Terms of Use


API Deprecation Policy