According to PCI DSS compliance guidelines, anything that stores or handles Sensitive Cardholder Data is considered to be within PCI Scope. All assets, including applications and databases, that can access raw cardholder data, are within scope. To make PCI Compliance a breeze, VGS has created two distinct solutions called VGS Collect and VGS Show that are designed to descope your applications from PCI DSS requirements.
VGS Collect is our solution to descoping your applications that you use to collect credit card data. While collecting card data and using the inbound proxy can descope your backend, using your own code to collect PCI data would put your front end in scope, and subject to the scrutiny and regulation of PCI QSAs. VGS Collect descopes your application by allowing you to not have to collect the data using your own code. Instead, VGS Collect loads the submission form within our own secure iframes, hosted from our PCI Level 1 environment.
The Collect SDK is the iOS and Android counterpart to Collect.js, that allows you to integrate VGS Collect seamlessly with your mobile application, without needing to use Collect.js inside of a webview. With the Collect SDK, your application has as much control over VGS Collect in your mobile application as it does with Collect.js.
VGS Show is the inverse of VGS Collect, allowing you to display PCI sensitive data within your applications without putting your application within scope. Similar to Collect, VGS Show also loads information into our secure iframes, only instead of loading a form to submit data, the iframes host sensitive information from our environment instead of putting it inside of yours.
The Show SDK is the mobile counterpart to Show.js, and the Show counterpart to the Collect SDK. The Show SDK allows you to display customer card information directly to your customers on their phone, loaded securely from within the VGS PCI Level 1 environment, keeping your mobile app out of PCI scope and compliance obligations.
VGS Show is useful for displaying PCI data, and has to be enabled by VGS Support. For compliance reasons, we ask for your use case to document it for when VGS gets audited for PCI compliance. If you are looking to reveal non-PCI data to your customers, you do not need to use VGS Show, you can simply use the inbound proxy and configure it to Reveal data upon the Response phase when your servers respond to the request with VGS aliases.