FAQ

https://www.verygoodsecurity.com/docs/faq


 

FAQ

Dashboard

  • What is an inbound connection?

    • An inbound connection is the connection, through VGS, to your clientside applications or APIs and the hostname of your server.
  • What is an outbound connection?

    • An outbound connection is the connection, through VGS, for requests that initiate from your server to third parties (example third-party API calls).
  • Can the header fields be stripped in the HTTP requests?

    • We can switch on transparent mode for you. In this mode, VGS-request-id and x-forwarded- headers will be excluded from the requests you make.
  • How quickly do new or updated filters and operations on a route take effect?

    • Edits to the route filters and operations require up to a minute to populate.
  • Can regular expressions be used for the Pathinfo?

    • Yes, you can use regular expressions for Pathinfo field. If you use regex, please ensure that you use matches option from the drop-down menu.
  • When should I use the begins with filter?

    • You should use the begins with filter on anything that will not match exactly. For example if I have /users/27, I'd want to do Pathinfo begins with /users because we have unique IDs for each user. Additionally, you may want to check the content-type, if it includes charset=UTF-8 after the mimetype, specifying just the mimetype will not match.
  • What data types does the access logger selector currently support?

    • JSON, XML and application/x-www-form-urlencoded (not multipart/form-data).
  • How does Host Matching work compared to Filter Condition and Operation Config Matching?

    • If the request doesn't match any defined Host, the proxy will respond a 400 and tell you to whitelist the host. If the Host matches but PathInfo or the Filter Conditions don't match and/or Operations Configs don't have matching payload parts, the requests will be passed without any modifications or errors reported.
  • For PCI compliance, what do I need to redact?

    • For PCI Compliance, the minimum you must redact are the PAN and the CVV/CSC (in Volatile Memory).
  • Can VGS accept inbound and outbound requests from different domains?

    • Yes, the two are configured separately. On your inbound, you'll redact sensitive data as it comes in and store the corresponding aliases in place of the data. You can then send the data to as many different domains or third-parties as needed; on the outbound request, the alias will be replaced by the revealed data.
  • How do I remove an organization I no longer use in VGS?

    • The admin user for the organization would need to contact support via an email or our in app chat and provide the organization name to be removed.
  • Do you have versioning of VGS routes?

    • Yes, we support versioning and ability to rollback changes for the routes. Check Audit logs for more details.
  • How can I delete aliases from VGS via Dashboard?

    • There is not a way to access the aliases on the Dashboard. To remove the aliases from VGS you need to use Vault API.
  • When using the Vault Api to delete an alias, does this just remove the alias or does this also delete the data that the alias represents?

    • The alias is the only part deleted. The underlying data is still there, but you are unable to access it. Be certain that you no longer require access before removing aliases related to a value stored with VGS. Certain data, depending on regulations, requires we keep a record so this is why the underlying data is not deleted.
  • Do you have any examples of XML detokenization?

    • We don’t explicitly show XML detokenization. It works the same as JSON. You need to use XPath to select the text of the XML to redact the value to a VGS Alias, or in this case use XPath to reveal the VGS Alias. Route filters support different operation types and could be flexibly set for different kinds of data.
  • How can I redact a file through VGS HTTP proxy?

    • You can redact any file through VGS HTTP proxy by sending this file in your request. For more details click here.

Integration

  • We are working on integrating with a third party service that will go through the VGS Platform. This service can only accept connections from a predefined list of whitelisted IP addresses. Can you provide us with the range of IP addresses to whitelist?

    • The Sandbox environment will originate requests from 18.215.58.36, 34.194.18.145, 34.206.157.22
    • The Live environment will originate requests from 52.6.216.177, 52.7.148.215, 52.72.130.32.
    • Also, check our Integration guide with IP ranges mentioned.
  • Do you have an API to update routes at once?

    • We have an API and command line tool available to aid in the Software Development Life Cycle. Currently, this is an enterprise feature.
  • I'm getting errors that the host doesn't match request URL basename. How do I fix this?

    • Make sure to serve the content via the tenant address (https://tenantid.sandbox.verygoodproxy.com). We added X-Forwarded-Host headers for you. (If you are communicating via api (client to server), you don't need to do this).
  • Can we use our own vault?

    • Yes, this is an enterprise feature. Contact our sales team to discuss this.
  • Do we have to send all of our traffic through the VGS?

    • No, you can segment traffic by assigning a custom CNAME such as vault.company.com and then send secure traffic to it.
  • What is the cost of a single TLS (formerly SSL) certificate for a custom CNAME?

  • Are the wildcard certificates supported, in the current release?

    • Wildcard certificates are currently not supported. Cost per CNAME record is $40 a month. Support for wildcard certificates may become available in the upcoming feature releases.
  • How do we configure our client library using Selenium web driver to work with VGS Platform?

  • When I set a cookie on a request which comes through VGS, the cookie is set on VGS domain instead of my own domain which I redirect to. How should I solve this?

    • You can set cookie domain and path attribute on your request like domain=.company.com;path=/. You might need a Cname mapping your hostname xxx.company.com to sandbox.verygoodproxy.com|live.verygoodproxy.com for your inbound request.
  • I'm getting the following CORS error Access... has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response. How do I resolve this?

    • Make sure *.verygoodvault.com and *.verygoodproxy.com are on your list of allowed hosts.
    • Verify Access-Control-Allow-Methods is set with GET,PUT,POST,DELETE,OPTIONS, Access-Control-Allow-Headers is set with X-Requested-With,Content-type,Accept,X-Access-Token,X-Key, and Access-Control-Allow-Origin is set to *.
  • What is the regular expression to match a Generic VGS alias?

    • (?<prefix>vgs|tok)_(?<environment>[A-Za-z][A-Za-z0-9]+)_(?<identifier>[A-Za-z0-9]+)
  • How to copy routes from our Sandbox environment to the Live environment?

    • Once you have activated your live environment and created a live vault, you can either copy the routes through our vgs-cli tool or the dashboard by exporting YAML config for all routes from the sandbox vault and importing it to the Live vault. When you export the routes, please update each route which usually includes updating the upstream host from the dev/sandbox host to the live host. It is recommended to save these routes and check them into a source repository.
  • What endpoint should I use to create my alias/token for staging/dev and production?

    • Please use the SANDBOX endpoint for staging/dev and use the LIVE endpoint for production.
    • Depending on the request and how is sent to a 3rd party, please properly format the values for use before creating the alias/token.
    • For example when sending an API Key or X-Secret in the header of a request, the key should be based64 encoded then sent on to the correct VGS endpoint to alias the base64 encoded API Key.
  • Do you support IP whitelisting for Inbound routes?

    • Yes, we support IP whitelisting for both Inbound and Outbound connections. Check the docs how to enable the feature.
  • Do you support a VPN connection? Can I share one VPN connection between 3rd parties?

    • Yes, we support providing a VPN per 3rd party. A 3rd party may have one or more VPN connections, but you cannot share the VPN connection between multiple parties. For example, from VGS to Visa or from VGS to I2C, you cannot share a VPN connection between these two parties, and you will be billed for a separate VPN to Visa and a separate VPN to I2C.
  • Can you bundle VGS Collect JS into our JS file to remove dependency?

    • No, it will violate PCI compliance. To bundle VGS Collect JS with your JS means you could technically alter the JS. VGS Collect JS cannot be served on your server. The code needs to be served by our PCI compliant servers.
  • What are the next steps in terms of moving to a production-ready vault?

    • All you need to activate your organization to be able to create a live vault and promote all the settings from Sandbox to Live environment. Check the documentation for more details.
  • What is the recommended way of testing on a local API endpoint, as I see the upstream inbound host does not work well with localhost?

    • Ngrok is an excellent way to set up a localhost API endpoint.
  • The available RPM is a global rate limit for proper using the system?

    • It’s not a global limit. It’s per unique IP inbound and username and password for outbound, more details available in the docs.
  • Is HTTP Proxy the only way of integrating for outbound requests?

    • We have several proxies with which you can integrate. For outbound requests, you can also use SFTP. We also support TCP, but that’s an enterprise feature that is not supported via the dashboard. We suggest to setup a call and discuss your use case and pricing details (email us support@verygoodsecurity.com).
  • Does VGS support stripe 3ds?

  • Is our sensitive data always accessible if we ever need to access it or migrate it into a different system?

    • Yes, your sensitive data is always accessible. VGS is vaulting the data, and you’re able to send it through VGS to any third party endpoint you wish.
  • How does the proxy differentiate between different tenants?

    • During the certificate issuing process, specially dedicated to that CNAME configuration gets installed on our side. Based on it, we can route traffic and figure out the tenant.
  • Do I need two different TLS certificates for the sandbox and the live environments?

    • Yes, you need to have a separate CNAME entity for every environment, so you get two different certificates.
  • How to use GPG?

    • GPG is used to securely exchange sensitive data between two parties. If you need to safely transfer a file/message with some information to someone from the VGS team (here you can find the gpg cheatsheet and how to install gpg). You can either use GUI PGP tool or use these commands in the terminal:
      # Download public VGS GPG key
      wget https://www.verygoodsecurity.com/keys/vgs.pgp.txt
      # Import this public key
      gpg --import vgs.pgp.txt
      # Encrypt file
      gpg --output myfile.txt.gpg --encrypt --recipient security@verygoodsecurity.com myfile.txt
  • Encryption, hashing, and signing of payloads

  • Is data specific for each vault?

    • Yes. Each vault you create holds its own copy of data and shares nothing with any other vault. If you have two vaults and store the value ABC in both of them, you will receive a unique alias for each vault which has no relationship to the other vault. There is no way to move aliases between vaults.
  • Is there a way to alias PDF files through VGS?

    • At the moment there are 3 ways to alias PDF files through VGS:
    • Send VGS the entire PDF to turn into an alias/token -- this is an Advanced Operation which we can provide the example YAML file to see how this works on your SANDBOX vault.
    • Blackout sections of the PDF, which is available in the filter of your inbound/outbound route under the tab PDF Meta - check our docs for more information.
    • You could redact text in the PDF, but this depends on the font which may not be supported.
  • Does VGS support IP whitelisting on vault API?

    • Yes. Please drop us a line at support@verygoodsecurity.com to enable the feature.
  • I'm integrating into an API that accepts only POST requests with an application/x-www-form-urlencoded as Content-Type, how can I redact particular field in such case?

    • In order to get and redact the necessary value, you can use the Regexp operation. To do this, you should to go into your route settings and set the operation to Regexp and in the field set Regexp expression.
  • We want to provide our own certificate for our Custom Hostname. How do we do that?

    • At the moment VGS doesn't support accepting and provisioning custom certificate. We issue, manage and provision them to our edges ourself.
  • I want a CNAME, how soon should I get a CNAME before I go live?

    • We recommend at least 48 hours before you want to use it in production. The reason for this is because of several firewalls, like OpenDNS, blacklist newly issued subdomains because those are often used for fraudulent purposes.
  • Can my VGS vault hold on to volatile data for longer than the default one hour?

  • What happens if I ask VGS to reveal an alias for data that has been deleted from my vault's volatile storage?

    • If a VGS reveal filter finds an alias that does not correspond to a piece of data currently stored in your vault, it will send the alias unmodified to the upstream host.
  • Can echo.apps.verygood.systems be used for test purposes only or for production as well?

    • Echo server https://echo.apps.verygood.systems/ should be used for the test purposes only, it can not be used for sensitive data.
  • Can VGS swap out a PAN on a PDF with a token value, or does it just redact the PAN from the PDF?

    • Our PDF redaction means “blur” part of the PDF page with the PAN (you configure the PAN position via coordinates). The document will be blurred in this rectangle only, so it means that PAN should have a static position in the document.

Billing/PAYG

  • What is the definition of an operation?

    • Operations are anything that processes or transforms the data. Depending on the complexity of the payload and the transformations required, each time data is processed, a number of operations will run. Example operations include revealing data, fingerprinting a record, rewriting request/response, advanced computations.

Configuration

  • What are the different Alias Formats?

    • Check out our documentation with alias format descriptions. We have several different alias formats available dependinng on your use case. Three of which are for Format Preservation and Luhn Validation. We additionally have a numeric length preservering alias and our global alias that will work on all data (strings, multiple strings, arrays/lists etc.).
  • What happens if I provide a value with invalid length/format with format preserving alias format set?

    • In such case the alias will be created in UUID format, see more details about the alias formats in the documentation.
  • What are Persistent and Volatile Storage types?

    • Persistent mode aliases will be stored on the database per our data retention policy. Volatile Storage aliases will be stored only for 60 minutes - that is the default value and can be configured within some constraints. It is useful when you cannot keep some information in your system due to compliance but still need to use it for a series of requests. One example would be getting the PIN from a client and using it as a request to third-party service. One important note is that you can only reveal aliases when the storage mode matches. E.g. If you have the operation to redact PIN value with Volatile storage, a reveal operation with Volatile storage will work for that alias but Persistent will not and vice versa.
  • Do values always resolve to the same redaction alias (e.g. will 123 always be the same alias)?

    • Provided the fingerprinting feature is turned on (default behavior), the values always resolve to the same redaction alias. Fingerprinting can be turned on or off. Alias fingerprinting is enabled by default.
  • What is the typical message flow?

    • Here you can see our common flowdata-usage
  • How many IP addresses are available for IP anonymization?

    • We have approximately 2,000 ip addresses available.
  • Can the records be removed from the expired cards?

    • Yes, records can be removed upon request and per our data retention policy.
  • What protective measure have been put in place against the possibility of a DDoS attack?

    • Typical measures include WAF, powered by AWS, and DDoS mitigation at the Layer 3.
  • How do I migrate existing data from my storage?

  • If I send some sensitive data from two different endpoints, will I get 2 different aliases or the same alias twice?

    • Provided the fingerprinting setting is turned on (default behavior), the values always resolve to the same redaction alias. Fingerprinting can be turned on or off for a vault on the dashboard (Settings -> Advanced) NOTE: if you turn off Fingerprinting it could lead you to additional charging.
  • If I have 2 inbound routes set up on VGS, how can I specify which one to use?

    • You would need to have a CNAME for the additional route to have two Inbound routes.
  • If my route is tenantid.sandbox.verygoodproxy.com, do I make my CNAME point to that or sandbox.verygoodproxy.com?

    • You have to point to sandbox.verygoodproxy.com for Sandbox or to live.verygoodproxy.com for LIVE.
  • Are the sandbox credentials and private keys issued by VGS different for production?

    • Yes they are different. If you need to have VGS token of your RSA key, you will need to create it again in LIVE vault.
  • How do you monitor availability and uptime? And how often do you perform backups?

    • Availability and uptime monitoring: i) Multiple providers that give us synthetic transactions to measure uptime
    • Regular backups: i) Daily incremental and weekly full backups are configured for the database. ii) Databases are replicated to a secondary Data Center in real-time. iii) For HA, we replicate across Availability Zones. So we have capacity to failover. iv) Robust Disaster Recovery Policies tested on at least an annual basis
  • Who issues your certificates and what kind of certs are they?

    • Regular TLS certs for HTTPS traffic issued for your CNAME by "Let's Encrypt".
  • What can maximum payload be processed through VGS HTTP proxy?

    • Through VGS HTTP proxy, you can process up to 24 MB. if the size is larger then you can use SFTP.
  • How to migrate data from a third-party SFTP to your VGS vault?

    • The general migration process looks like this:
    • Have the third-party provide the information you require to VGS in a CSV via SFTP. The third-party provides the SFTP credentials (Host, Port, User and Password) to VGS by encrypting the credentials with the PGP public key for VGS, or VGS can host the SFTP and can encrypt the credentials to the SFTP with the third-party PGP key. VGS PGP key to encrypt the credentials to the SFTP can be find here: https://www.verygoodsecurity.com/keys/vgs.pgp.txt.
    • You will need to specify the information VGS should tokenize/alias and the token/alias type you require. Aliases available can be found here: https://www.verygoodsecurity.com/docs/terminology/nomenclature#alias-formats.
    • Once the CSV is aliased by VGS, we will provide the aliased CSV encrypted with your PGP key. This CSV will be provided either by putting this on your SFTP, or VGS can host the file on our SFTP.
  • Is the alias created by VGS Collect the same as created by the Vault API?

    • Yes, aliases created using the VGS Collect and Vault APIs will be the same within the same vault.
  • Can the VGS service parse the GrapQl format?

    • VGS can take a payload and alias parts of it, but you would need to use a regular expression (RegEx) for a GraphQL payload; However, this is not recommended since the payload for GraphQL can change and there is no guarantee that the aliasing of the data doesn't accidentally alias another value that shouldn't be aliased/tokenized.
  • Is it possible to have volatile storage and persistent storage for different keys in the same payload?

    • Yes, you can have persistent and volatile aliases in the same payload.

Compliance

  • Which compliance certifications does VGS have?

    • Our compliance certifications are mentioned here. We have PCI DSS Level 1, see the Visa PCI service Provider List here. Additionally, we have SOC2 Type 2, and Privacy Shield.
  • Is it required to store billing address/name encrypted or PCI compliance allows un-encrypted billing address/name?

    • It’s not required unless the PAN is stored with the name and address. If you are storing the name and address with the PAN, then you should use one of the following:

    • One-way hash functions based on strong cryptography – also called hashed index, which displays only index data that point to records in the database where sensitive data actually reside.

    • Truncation – removing a data segment, such as showing only the last four digits.

    • Index tokens and securely stored pads – encryption algorithm that combines sensitive plain text data with a random key or “pad” that works only once.

    • Strong cryptography – with associated key management processes and procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the definition of “strong cryptography.”

    • You can find more information at the following link: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

  • Can I reveal credit card information in my mobile app? Can I reveal credit card information from my website?

    • Depends on the use case. If you are a card issuer or an eWallet, you can reveal the credit card information through your mobile app (iOS/Android). If you have a website (or you are not a card issuer or an eWallet with only a mobile app), then you can still reveal the card information but you are now required to follow Rule 8 of the PCI Compliance rules. See Rule 8 here.
  • If the expiration date (month/year) of a credit card is stored in our database along with the VGS-aliased credit card number, how does it affect our PCI compliance? Do we need to tokenize the expiry date too?

    • No, you are not required to alias the expiration date of a credit card. PCI rules that the expiration date can be stored. In terms of the credit card number, that must not be stored in clear text, so by using VGS to alias it, you are out of PCI scope. Please note that CVC/CVV must be stored in Volatile storage. (you can find more information at the following link.
  • Why do you charge 40$ per TLS certificate for a CNAME?

    • TLS termination needs to happen on VGS side to fully descope our customers according to PCI compliance requirements. Cost is to issue, renew, provision and manage cert.
  • Is it necessary to alias bank account number and routing number?

    • We strongly recommend it at least for bank account number. Aliasing both of them is preferable and should be enough for ACH fraud in most cases.

Troubleshooting

  • What to do if you lose access to your one-time password (OTP) device and get locked out of your account:

    • Contact support via email. You will need to go through an identity verification process to reset one-time password for security reasons.
    • The support team resets your OTP.
  • I keep sending a 16 digit number but Format Preserving Aliases are not working, why not?

    • For format preserving to work, the value must be Luhn valid. If it's not, you'll see it redacted using our universal alias format.
  • I keep seeing CSRF exceptions. How do I work with my particular framework to still enforce CSRF while using VGS.

    • The easiest way to solve this is to check the documentation on your framework. Use it with a reverse proxy (for example NGINX) and configure the settings for CSRF.
  • How should I use the inbound connection if I have a tightly coupled app (like using template views in Django)?

    • You have a few options, you can use the inbound to load your website through the URL provided during the integration process. Additionally, you can also post data to the URL followed by the path if you do not want to load your site through the service.
  • How should I use the inbound connection if I have a loosely coupled app (e.g. React front end connecting to a Java backend via API)?

    • The best pattern here is to post the data to the URL provided and then later replace with a CNAME that forwards to your hostname API.
  • What's the best pattern for promoting Routes and Filters to the Live (production) environment.

    • We recommend that you use standard development best practices. Use a sandbox for a dev/staging/canary environment and have automated tests and integration tests running on your sandbox (with FAKE data) and once tests pass, then promote to Live. Additionally, we recommend as part of the SDLC to save the configuration in source control (using command line tool, currently for enterprise customers) so that you can easily rollback if the configuration causes side effects not seen in testing.
  • My data is not revealing on the outbound connection.

    • The most common case for this is that the alias store is usually different OR the alias format is different. (e.g. you redacted it as FP 6_T_4 and are trying to reveal using FP T_4).
  • I've tried everything above, but cannot figure out the error, what do I do?

    • Contact support via email or our in app chat and provide the vgs-request-id with a description of the error you got.
  • What to do if I see net::ERR_CONNECTION_CLOSED in console when my app tries to initialize vgs-collect?

    • You might need to whitelist verygoodvault.com and verygoodproxy.com as your production web-filter policy could block them.
  • Is there a way we can look up the logs for more than past 24 hrs?

    • On Access logs page there is no way to fetch logs that are older than 24 hours. But we can fetch any historical data from our internal storages upon request (contact support via email).
  • If we change to live account, the original alias generated by sandbox can still keep using in live?

    • In terms of the original aliases, they will not be available in your LIVE vault. We separate the aliases for SANDBOX and LIVE environments. The SANDBOX vault is for testing, while the LIVE vault is for real transactions.
  • I am using Vault API in my project, and I am trying to make a request to reveal my aliases but give me error 403.

  • I’m getting an error while adding a new CNAME (instead of the wrong one) on Dashboard.

    • When you change/create a CNAME you also specify TTL (Time To Live) attribute. It's a sort of expiration date that is put on a DNS record and tells the recursive server or local resolver how long it should keep the record in its cache. The longer the TTL, the longer the resolver holds that information in its cache. If you set your CNAME to point to your vault and specify it incorrectly (with TTL set to 300 seconds), during this time our cert-manager will use the cache values ​​for 300 seconds. In order to make changes and to set your CNAME to point to a different URL, you should to wait these 300 seconds and make the necessary changes.
  • I'm getting a 504 error on outbound, what is this?

    • A 504 Status Code means that the upstream host (your destination third party) refused the connect method request and responded with something other than a status code or message. This could mean several things. The tunneling setup on your server-side has been implemented incorrectly, you need to whitelist our static IP addresses for our outbound, or maybe the third party requires mutual SSL.
  • I want to try routing my outbound traffic through VGS, but it's difficult to chain VGS's forward proxy with my existing proxy configuration. Is there an alternative?

    • As a workaround for testing, development, and building proof of concepts, you can use a VGS reverse proxy between your servers and the third party service.
  • I get this error: Invalid proxy configuration: You need to whitelist host ... on the dashboard., although I do not have IP Whitelisting.

    • The reason you can get this error is because you are using the wrong Access Credentials, make sure you use credentials for the current vault.
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.