If 2024 was the year payments teams proved they could move fast, launch faster, and expand almost anywhere, then 2025 was the year we made sure all of that speed was built on a foundation as solid as a bedrock, not just freshly poured concrete.
As the Chief Information Security Officer (CISO) at Spreedly, I get a unique perspective on what it is that we’re doing here. From where I sit, growth and security have never been opposing forces. They’re probably more like siblings who might argue from time to time, but know how important each is to the other.
You already know that the more ambitious your roadmap starts to get, the more discipline your foundation requires. Expansion, orchestration, AI, global scale… none of it works if the underlying controls aren’t living up to the high standards the industry sets for us.
Security creates confidence for both customers and merchants alike. Your engineers get room to build and executives get clarity about risk and reward. Which is why we put so much energy into building strong foundations at Spreedly.
In 2025, we leaned fully into compliance under PCI DSS 4.0.1, while also unifying fraud and payments orchestration so that the decisions that mean most to your bottom line aren’t fragmented. And a lot more.
Here are the five key pillars that defined our progress over the last year, and how they’ll impact us (and you) as we move into the future.
Achieving the gold standard: PCI DSS 4.0.1
In October 2025, Spreedly achieved compliance under PCI DSS 4.0.1.
You can view our PCI DSS Attestation of Compliance here.
One of the most important shifts in PCI 4.0.1 is the move away from point-in-time validation and toward continuous security. Passing an audit once a year is no longer the benchmark. The expectation now is that your controls operate reliably every day, with ongoing monitoring and clear evidence that they’re doing what they’re designed to do.
To meet PCI 4.0.1 requirements, we delivered meaningful updates to the Spreedly iFrame, including enhanced session authentication and automated script integrity protections.
Client-side components are part of the real-world attack surface, so we strengthened them with the same rigor we apply to our core infrastructure. These improvements reinforce how payment data is collected and protected in the browser while preserving the performance and flexibility our customers rely on.
For engineering teams, that means secure client-side payment collection without added friction. For executives, it provides confidence that the infrastructure supporting revenue aligns with the industry’s most current standards. For us, it means we’re getting ahead of operational security and making sure you have what you need to bring the most value to your clients and your business.
PCI DSS 4.0.1 sets a higher operational bar. We’re proud to meet it, and we’re committed to sustaining it.
Unified Orchestration: bringing payments and fraud into the same conversation
One of the most important decisions we made in 2025 was to unify payments and fraud orchestration. We got a great start from our acquisition of Dodgeball, a leader in fraud orchestration, and it changed how we think about risk across the entire transaction lifecycle.
For too long, payments routing and fraud prevention have operated as separate identities, each trying to solve different challenges. You’ve got one team optimizing for approval rates, while another manages risk thresholds. Obviously, you need both. But when those systems are disconnected, decisions that affect revenue, customer experience, and exposure don’t always share the same context.
So we unified the two into a single ecosystem.
What integrating Dodgeball’s capabilities into our platform did was create a unified environment where risk decisions can be made at every meaningful checkpoint, from account creation through checkout. Call it “The Checkpoint Advantage.”
You already know that not every transaction deserves the same level of scrutiny. By applying “Intelligent Friction”, we’re allowing you to trigger additional verification, like an MFA or identity check, when the risk signals justify it. You end up with stronger revenue protection while eliminating the “engineering time tax” that you pay when you manage dozens of siloed tools.
For engineering teams, it will mean a reduction in the hassle of piecing together separate fraud and payments systems. For business leaders, it means getting a clearer view of how risk strategy influences approval rates and customer lifetime value.
For us, it’s really just reflective of a simple principle: the decisions that protect revenue should live in the same system that helps generate it.
After all, revenue protection and customer experience really shouldn’t have to compete for priority.
Privacy by design: privacy, automation, and trust
You can’t have security without a robust privacy framework. It just doesn’t work. So, this year, we matured our Privacy by Design architecture and moved toward a model where privacy is a core product requirement.
In 2025, we invested in stronger privacy management and contract lifecycle tooling to handle the operational weight of cookie policies, data processing terms, and privacy integrations.
These systems manage the repeatable work at scale and give us clear documentation of how data obligations are being met. That visibility matters to all of us, especially as requirements continue to evolve across regions.
Global expansion adds yet another layer of responsibility. Whether you’re expanding into LATAM, EMEA, or anywhere else, privacy rules will differ by region, and the expectations each of these regions have will continue to grow.
Our Security and Legal teams work closely together to ensure that when we enter a new market, compliance is built in from the beginning. Regulatory considerations are addressed early, and operational controls are aligned before launch.
That way you can expand into new regions with confidence. Regional requirements get handled with the same discipline we apply to our core infrastructure, and privacy remains a critical aspect of how we operate so you can continue to expand with ease.
For more, read our Privacy Policy here.
Responsible AI governance: responsible innovation
You’ll find Artificial Intelligence as a part of daily operations across the industry. That reality brings opportunity, and it brings responsibility.
In 2025, we formalized how AI is used inside Spreedly. Efficiency and speed are both really valuable, but both of these things need to operate within clear guardrails. To that end, we have established a structured governance framework to ensure that AI adoption aligns with our security standards, legal obligations, and company values.
We formed a cross-functional AI Council to oversee internal use cases and evaluate new tools. This group ensures that AI initiatives are reviewed with the same rigor we apply to any system that touches sensitive data or critical workflows.
We implemented formal usage policies and a required security and legal review process for any AI-driven tooling introduced into our environment. Clear rules reduce ambiguity. Review processes create accountability.
We also introduced mandatory AI security training for all employees, with deeper technical modules for developers. AI-assisted coding and automation require thoughtful oversight. Training ensures our teams understand both the benefits and the risks.
For our customers, this governance model provides assurance. As we integrate AI into our own operations and platform capabilities, we’re doing it deliberately and transparently.
Responsible AI governance ensures that progress remains sustainable, secure, and aligned with the standards our customers expect from us.
Intelligent response: fighting AI fraud with AI
As fraudsters increasingly weaponize AI for automated card testing and account takeovers, we’ve scaled our own AI-driven defenses.
In 2025, we expanded our use of AI-driven threat detection across our environment. These systems run continuously, scanning for anomalies, flagging unusual behavior, and escalating issues in real time.
We also began migrating to a next-generation SIEM solution to improve visibility across our global infrastructure. Better visibility means faster detection. Faster detection means tighter containment. That sequence matters when seconds can define impact.
For engineering leaders, you’re getting a reduction in the likelihood of operational surprises. For executives, once again you’re gaining confidence that risk is actively managed. And for all of our customers, it means the infrastructure supporting your payments is monitored with intent and precision. All very good things!
Looking ahead to 2026: raising the bar
Our roadmap for 2026 is ambitious, built on the belief that security should never be a hurdle to innovation. To deepen the trust our customers place in us, we are focusing on two strategic fronts: global certification excellence and the dawn of agentic commerce.
Expanding Our International Standards Framework
While we continue to re-certify our PCI-DSS and SOC 2 Type II credentials, we’re aggressively expanding our compliance portfolio to solidify our global leadership. In 2026, we’re pursuing three new international certifications:
- ISO 27001: To further formalize our Information Security Management System (ISMS).
- ISO 27701: To achieve the highest global standard for Privacy Information Management.
- ISO 42001: To establish a certified framework for the responsible and secure use of Artificial Intelligence—ensuring our internal AI governance meets the world’s most rigorous benchmarks.
From Conversation to Conversion: Enabling Agentic Commerce
As we harden our infrastructure, we are simultaneously building the future of payment intelligence.
By leveraging the unified data from our Dodgeball integration and our advanced detection systems, we’re developing an AI-powered Payments Co-pilot.
This vision is already coming to life through our enablement of live agentic commerce environments. By utilizing our network tokenization technology, we securely authorize and finalize AI-driven transactions, effectively "unblocking" AI agents in the payment flow.
By using network tokens to legitimize payment credentials, we allow these agents to complete complex B2B and B2C bookings with the high approval rates required for high-velocity industries.
This approach allows our partners to transition AI from a simple conversational tool to a transactional revenue driver. And by the way, that all happens without requiring a major overhaul of their existing payment infrastructure.
A huge thank you to all of you for your continued trust as we build the world’s most secure and flexible open payments platform.
