Nothing’s more important than your peace of mind and confidence when processing a transaction through the Spreedly platform. Our platform processes over $20 billion in digital commerce transactions annually and it is our goal to bring a flexible and secure payments strategy to all businesses.
Below are just a few of the ways that Spreedly takes proactive steps both online and offline to ensure your customer’s financial information is secure, while still allowing you to process transactions seamlessly.
“We recognize that core to our success is trust from our customers. We are incredibly proud to reinforce that commitment to security and compliance and continue to support our growing, global customer base.”
— Christopher Hudel, Chief Information Security Officer (CISO)
Spreedly is General Data Protection Regulation (GDPR) compliant effective May 25th 2018, and will maintain GDPR compliance for all the processors and sub processors in our technology stack where we decide on your behalf how data will be processed. More information about our GDPR compliance can be found here.
Spreedly is Level 1 PCI compliant — the highest and strictest level — and is on the Visa Global Registry of Service Providers and the Mastercard SDP Compliant Registered Service Provider list. You can find our supporting documentation on our PCI page. You can also view our attestation of compliance here.
Spreedly’s 3DS2 solution is a multi-factor authentication protocol used to confirm digital identity during card not present checkout to prevent fraud. The solution is EMVCo certified including our iOS and Android SDKs as well.
Spreedly is a vendor neutral Network Token Provider and certified with both Visa and Mastercard. Knowing that Network Tokenization requires a cryptogram on the initial creation this provides an added layer of security when vaulting and using cards for future use. More information can be found here.
Spreedly operates in a cloud based environment via AWS with multiple mechanisms in place to ensure resiliency and business continuity. For more information please reference the AWS datacenter PCI L1 compliance page, which certifies extensive physical protections as well, and houses various other banking, government, and security agencies.
Spreedly requires TLS v1.2 for its Core transactional API when support by the connecting client. Beyond that single requirement, Spreedly’s secure configuration currently warrants an A+ rating from SSL Labs, meaning that Spreedly’s website security is resilient to attacks exploiting older weaker TLS versions.
Spreedly uses the Advanced Encryption Standard (AES) with 256-bit keys when encrypting confidential data within the vault. Each confidential record within the vault is encrypted using a separate, randomly generated, encryption key. This key itself is then further protected by encrypting with an asymmetric key (RSA, 2048 bits).
Vulnerability Management / Penetration Testing / Red-Team Exercises.
These terms mean different things to different organizations but they each share in representing a continuum of constantly assessing and improving information security — from known patchable vulnerabilities, syntactical coding exploits, and semantic process deficiencies. Spreedly performs all three of these assessment types (including social engineering tests such as phishing tests) on a regular basis in addition to process-only table top exercises that seek to assess and improve our incident response to common likely and impactful threats such as ransomware.
From an architectural perspective, Spreedly seeks to embrace Google’s BeyondCorp security ideals where access to resources are fully authenticated, fully authorized, and fully encrypted based upon user credentials (with Multi-Factor Authentication). And we measure our resilient information security posture against the NIST Cyber Security Framework, bettering our ability to prevent, detect, and respond to information security attacks.
Contact Us and we'll get your questions answered.