Duplicate Payment Method Fingerprints Issued

Postmortem: June 30, 2025 — Incorrect Payment Method Fingerprints Returned

We want to sincerely apologize for an issue that occurred on June 30, 2025, where some of our customers received incorrect or duplicate payment method fingerprints when tokenizing new payment methods. This issue lasted from 4:05 PM to 5:50 PM UTC. While no transactions failed and sensitive data was never at risk, we know that accurate fingerprinting is critical to how you manage and deduplicate payment methods, and we’re sorry for the confusion and downstream impact this may have caused.

What Happened

As part of routine security maintenance, we deployed a new encryption key used to manage payment methods. Unfortunately, the deployment included a misconfigured Parent Data Encryption Key (Parent DEK). This misconfiguration caused our fingerprinting system to receive an error from our encryption service, but that error was mistakenly interpreted as valid data. As a result, many new payment methods received the same fingerprint, leading to duplicates or incorrect values being returned across all environments.

Tokenization and payment processing were unaffected—transactions completed successfully, and all sensitive data remained secure.

What We’re Doing to Prevent This

We’ve already taken several steps to ensure this doesn’t happen again:

• Alerting has been implemented for this step in the payment method fingerprinting service

• Process changes have been implemented to prevent this type of misconfiguration in the future

We’re grateful for your trust and patience. If you believe this incident may have affected your environment, or if you have any questions, please don’t hesitate to reach out to our support team.

— The Spreedly Team