FAQ

Dashboard

• How do I remove an organization I no longer use in VGS?

  • The admin user for the organization would need to contact support via an email or our in app chat and provide the organization name to be removed.

• Can I create multiple organizations?

  • Yes, this is possible, but each Organization has to have a subscription. The admin user for the organization would need to contact support via an email or through the chat app.

• Do you have versioning of VGS routes?

  • Yes, we support versioning and ability to rollback changes for the routes. Check Audit logs for more details.

• How can I delete aliases from VGS via Dashboard?

  • There is not a way to access the aliases on the Dashboard. To remove the aliases from VGS you need to use Vault API.

• What to do if you lose access to your one-time password (OTP) device and get locked out of your account:

  • Contact support via email. For security purposes,You will need to go through an identity verification process to reset one-time password.

  • When our support team are able to verify that you are the owner of your VGS account, our support team will restore your OTP.

• How to copy routes from our Sandbox environment to the Live environment?

  • Once you have activated your live environment and created a live vault, you can either copy the routes through our vgs-cli tool or the dashboard by exporting YAML config for all routes from the sandbox vault and importing it to the Live vault. When you export the routes, please update each route which usually includes updating the upstream host from the dev/sandbox host to the live host. It is recommended to save these routes and check them into a source repository.

Integration

• How do we configure our client library using Selenium web driver to work with VGS Platform?

  • Here is Selenium guide.

• When I set a cookie on a request which comes through VGS, the cookie is set on VGS domain instead of my own domain which I redirect to. How should I solve this?

  • You can set cookie domain and path attribute on your request like domain=.company.com;path=/. You might need a Cname mapping your hostname xxx.company.com to sandbox.verygoodproxy.com|live.verygoodproxy.com for your inbound request.

• What is the regular expression to match a Generic VGS alias?

  • (?<prefix>vgs|tok)_(?<environment>[A-Za-z][A-Za-z0-9]+)_(?<identifier>[A-Za-z0-9]+)

• What endpoint should I use to create my alias/token for staging/dev and production?

  • Please use the SANDBOX endpoint for staging/dev and use the LIVE endpoint for production.

  • Depending on the request and how is sent to a 3rd party, please properly format the values for use before creating the alias/token.

  • For example when sending an API Key or X-Secret in the header of a request, the key should be based64 encoded then sent on to the correct VGS endpoint to alias the base64 encoded API Key.

• What are the next steps in terms of moving to a production-ready vault?

  • All you need to activate your organization to be able to create a live vault and promote all the settings from Sandbox to Live environment. Check the documentation for more details.

• What is the recommended way of testing on a local API endpoint, as I see the upstream inbound host does not work well with localhost?

  • Ngrok is an excellent way to set up a localhost API endpoint.

• Is HTTP Proxy the only way of integrating for outbound requests?

  • We have several proxies with which you can integrate. For outbound requests, you can also use SFTP. We also support TCP, but that’s an enterprise feature that is not supported via the dashboard. We suggest to setup a call and discuss your use case and pricing details (email us [email protected]).

• Is our sensitive data always accessible if we ever need to access it or migrate it into a different system?

  • Yes, your sensitive data is always accessible. VGS is vaulting the data, and you’re able to send it through VGS to any third party endpoint you wish.

• How to use GPG?

  • GPG is used to securely exchange sensitive data between two parties. If you need to safely transfer a file/message with some information to someone from the VGS team (here you can find the gpg cheatsheet and how to install gpg). You can either use GUI PGP tool or use these commands in the terminal: # Download public VGS GPG key wget https://www.verygoodsecurity.com/keys/vgs.pgp.txt # Import this public key gpg --import vgs.pgp.txt # Encrypt file gpg --output myfile.txt.gpg --encrypt --recipient [email protected] myfile.txt\

• Encryption, hashing, and signing of payloads

  • VGS provides support to encrypt, decrypt, hash, and sign payloads as they are being sent to any destination. This can be used to support APIs that need to receive payloads that contain sensitive data but require it to be operated on before it reaches them. Examples of this include MasterCard's Payment Account Reference API and WorldPay's Client Side Encryption

• I'm integrating into an API that accepts only POST requests with an application/x-www-form-urlencoded as Content-Type, how can I redact particular field in such case?

  • In order to get and redact the necessary value, you can use the Regexp operation. To do this, you should to go into your route settings and set the operation to Regexp and in the field set Regexp expression.

• We want to provide our own certificate for our Custom Hostname. How do we do that?

  • At the moment VGS doesn't support accepting and provisioning custom certificate. We issue, manage and provision them to our edges ourself.

• I want a CNAME, how soon should I get a CNAME before I go live?

  • We recommend at least 48 hours before you want to use it in production. The reason for this is because of several firewalls, like OpenDNS, blacklist newly issued subdomains because those are often used for fraudulent purposes.

• Can echo.sandbox.verygoodvault.com be used for test purposes only or for production as well?

  • Echo server https://echo.sandbox.verygoodvault.com/ should be used for the test purposes only, it can not be used for sensitive data.

• Can VGS swap out a PAN on a PDF with a token value, or does it just redact the PAN from the PDF?

  • Our PDF redaction means “blur” part of the PDF page with the PAN (you configure the PAN position via coordinates). The document will be blurred in this rectangle only, so it means that PAN should have a static position in the document.

• What happens if I provide a value with invalid length/format with format preserving alias format set?

  • In such case the alias will be created in UUID format, see more details about the alias formats in the documentation.

• What protective measure have been put in place against the possibility of a DDoS attack?

  • Typical measures include WAF, powered by AWS, and DDoS mitigation at the Layer 3.

• How do I migrate existing data from my storage?

  • Use the vault API.

• If my route is <VAULT_ID>.sandbox.verygoodproxy.com, do I make my CNAME point to that or sandbox.verygoodproxy.com?

  • You have to point to sandbox.verygoodproxy.com for Sandbox or to live.verygoodproxy.com for LIVE.

• How do you monitor availability and uptime? And how often do you perform backups?

  • Availability and uptime monitoring: i) Multiple providers that give us synthetic transactions to measure uptime

  • Regular backups: i) Daily incremental and weekly full backups are configured for the database. ii) Databases are replicated to a secondary Data Center in real-time. iii) For HA, we replicate across Availability Zones. So we have capacity to failover. iv) Robust Disaster Recovery Policies tested on at least an annual basis

• What Cloud Provider does VGS use? What regions are VGS data centers in?

  • VGS uses Amazon Web Services (AWS), and operates out of US East 1 (Virginia) in the US and EU Central 1 (Frankfurt, Germany) in the EU and AP-Southeast-1 (Singapore). There is also a Disaster Recovery data center out of US East 2 (Ohio).

• Who issues your certificates and what kind of certs are they?

  • Regular TLS certs for HTTPS traffic issued for your CNAME by "Let's Encrypt".

• How to migrate data from a third-party SFTP to your VGS vault?

  • The general migration process looks like this:

  • Have the third-party provide the information you require to VGS in a CSV via SFTP. The third-party provides the SFTP credentials (Host, Port, User and Password) to VGS by encrypting the credentials with the PGP public key for VGS, or VGS can host the SFTP and can encrypt the credentials to the SFTP with the third-party PGP key. VGS PGP key to encrypt the credentials to the SFTP can be find here: https://www.verygoodsecurity.com/keys/vgs.pgp.txt.

  • You will need to specify the information VGS should tokenize/alias and the token/alias type you require. Aliases available can be found here: https://www.verygoodsecurity.com/docs/terminology/nomenclature#alias-formats.

  • Once the CSV is aliased by VGS, we will provide the aliased CSV encrypted with your PGP key. This CSV will be provided either by putting this on your SFTP, or VGS can host the file on our SFTP.

• Can the VGS service parse the GraphQL format?

  • VGS can take a payload and alias parts of it, but you would need to use a regular expression (RegEx) for a GraphQL payload; However, this is not recommended since the payload for GraphQL can change and there is no guarantee that the aliasing of the data doesn't accidentally alias another value that shouldn't be aliased/tokenized. It is recommended that you handle payloads in JSON format instead.

• When VGS sends requests to downstreams like Stripe, do you reuse the connection for multiple requests?

  • Yes, VGS reuses connections.

• How should I use the inbound connection if I have a tightly coupled app (like using template views in Django)?

  • You have a few options, you can use the inbound to load your website through the URL provided during the integration process. Additionally, you can also post data to the URL followed by the path if you do not want to load your site through the service.

• How should I use the inbound connection if I have a loosely coupled app (e.g. React front end connecting to a Java backend via API)?

  • The best pattern here is to post the data to the URL provided and then later replace with a CNAME that forwards to your hostname API.

• What's the best pattern for promoting Routes and Filters to the Live (production) environment.

  • We recommend that you use standard development best practices. Use a sandbox for a dev/staging/canary environment and have automated tests and integration tests running on your sandbox (with FAKE data) and once tests pass, then promote to Live. Additionally, we recommend as part of the SDLC to save the configuration in source control (using command line tool, currently for enterprise customers) so that you can easily rollback if the configuration causes side effects not seen in testing.

• I want to try routing my outbound traffic through VGS, but it's difficult to chain VGS's forward proxy with my existing proxy configuration. Is there an alternative?

  • As a workaround for testing, development, and building proof of concepts, you can use a VGS reverse proxy between your servers and the third party service.

• What happens to the information I pass to VGS for redaction if my upstream server returns a non-200 status code?

  • If a redact or reveal operation is performed on the REQUEST phase of a call, then that operation will always occur regardless of the upstream status code. However, if an operation is performed on the RESPONSE phase of a request, then the operation will only occur if the body of the request is still present to be operated upon. For example, if an upstream server removes the body of the request upoon returning a 404 HTTP code, the redact or reveal cannot occur any more as the body is not present to be operated on.

• How can I get a more detailed error log, or stack trace for my Larky (Starlarky) script?

  • You can test Larky locally, by following the steps at this page, or reach out to [email protected], and supply us with the VGS request_id for the request.

HTTP Proxy

• IP addresses to include on an allowlist

  • The Sandbox environment will originate requests from 18.215.58.36, 34.194.18.145, 34.206.157.22

  • The Live environment will originate requests from 52.6.216.177, 52.7.148.215, 52.72.130.32.

  • The Live environment for EU region will originate requests from 3.127.9.201, 52.58.226.180, 35.157.113.181, 3.124.157.86, 3.127.53.149, 3.123.45.10.

  • The Live environment for AP region will originate requests from 13.251.51.26, 13.228.44.128, 18.142.82.242, 18.142.40.114, 18.139.189.91, 13.214.75.36, 54.169.99.34, 13.251.247.188, 13.214.106.172, 13.213.112.215, 52.220.35.47, 13.213.106.145.

  • If you are using webhook notifications, add the IPs mentioned in this section to allow list.

  • Also, check our Integration guide with IP ranges mentioned.

• Can the header fields be stripped in the HTTP requests?

  • We can switch on transparent mode for you. In this mode, VGS-request-id and x-forwarded- headers will be excluded from the requests you make.

• Can regular expressions be used for the Pathinfo?

  • Yes, you can use regular expressions for Pathinfo field. If you use regex, please ensure that you use matches option from the drop-down menu.

• Do we have to send all of our traffic through the VGS?

  • No, you can segment traffic by assigning a custom CNAME such as vault.company.com and then send secure traffic to it.

• When should I use the begins with filter?

  • You should use the begins with filter on anything that will not match exactly. For example if I have /users/27, I'd want to do Pathinfo begins with /users because we have unique IDs for each user. Additionally, you may want to check the content-type, if it includes charset=UTF-8 after the mimetype, specifying just the mimetype will not match.

• How does Host Matching work compared to Filter Condition and Operation Config Matching?

  • If the request doesn't match any defined Host, the proxy will respond a 400 and tell you to add the host to the allowlist. If the Host matches but PathInfo or the Filter Conditions don't match and/or Operations Configs don't have matching payload parts, the requests will be passed without any modifications or errors reported.

• For PCI compliance, what do I need to redact?

  • For PCI Compliance, the minimum you must redact are the PAN and the CVV/CSC (in Volatile Memory).

• Can VGS accept inbound and outbound requests from different domains?

  • Yes, the two are configured separately. On your inbound, you'll redact sensitive data as it comes in and store the corresponding aliases in place of the data. You can then send the data to as many different domains or third-parties as needed; on the outbound request, the alias will be replaced by the revealed data.

• Do you support IP allowlists for Inbound routes?

  • Yes, we support IP allowlists for both Inbound and Outbound connections. Check the docs how to enable the feature.

• Do you have any examples of XML detokenization?

  • We don’t explicitly show XML detokenization. It works the same as JSON. You need to use XPath to select the text of the XML to redact the value to a VGS Alias, or in this case use XPath to reveal the VGS Alias. Route filters support different operation types and could be flexibly set for different kinds of data.

• How can I redact a file through VGS HTTP proxy?

  • You can redact any file through VGS HTTP proxy by sending this file in your request. For more details click here.

• The available RPM is a global rate limit for proper using the system?

  • It’s not a global limit. It’s per unique IP inbound and username and password for outbound, more details available in the docs.

• How does the proxy differentiate between different tenants?

  • During the certificate issuing process, specially dedicated to that CNAME configuration gets installed on our side. Based on it, we can route traffic and figure out the tenant.

• Do I need two different TLS certificates for the sandbox and the live environments?

  • Yes, you need to have a separate CNAME entity for every environment, so you get two different certificates.

• Is data specific for each vault?

  • Yes. Each vault you create holds its own copy of data and shares nothing with any other vault. If you have two vaults and store the value ABC in both of them, you will receive a unique alias for each vault which has no relationship to the other vault. There is no way to move aliases between vaults.

• Is there a way to alias PDF files through VGS?

  • At the moment there are 3 ways to alias PDF files through VGS:\

  • Send VGS the entire PDF to turn into an alias/token -- this is an Advanced Operation which we can provide the example YAML file to see how this works on your SANDBOX vault.\

  • Blackout sections of the PDF, which is available in the filter of your inbound/outbound route under the tab PDF Meta - check our docs for more information.\

  • You could redact text in the PDF, but this depends on the font which may not be supported.\

• Can my VGS vault hold on to volatile data for longer than the default one hour?

  • This is an advanced setting that our team can configure for you. You can make a request over email.

• What happens if I ask VGS to reveal an alias for data that has been deleted from my vault's volatile storage?

  • If a VGS reveal filter finds an alias that does not correspond to a piece of data currently stored in your vault, it will send the alias unmodified to the upstream host.

• What are the different Alias Formats?

  • Check out our documentation with alias format descriptions. We have several different alias formats available dependinng on your use case. Three of which are for Format Preservation and Luhn Validation. We additionally have a numeric length preservering alias and our global alias that will work on all data (strings, multiple strings, arrays/lists etc.).

• What are Persistent and Volatile Storage types?

  • Persistent mode aliases will be stored on the database per our data retention policy. Volatile Storage aliases will be stored only for 60 minutes - that is the default value and can be configured within some constraints. It is useful when you cannot keep some information in your system due to compliance but still need to use it for a series of requests. One example would be getting the PIN from a client and using it as a request to third-party service. One important note is that you can only reveal aliases when the storage mode matches. E.g. If you have the operation to redact PIN value with Volatile storage, a reveal operation with Volatile storage will work for that alias but Persistent will not and vice versa.

• Do values always resolve to the same redaction alias (e.g. will 123 always be the same alias)?

  • Provided the fingerprinting feature is turned on (default behavior), the values always resolve to the same redaction alias. Fingerprinting can be turned on or off. Alias fingerprinting is enabled by default.

• How many IP addresses are available for IP anonymization?

  • We have approximately 2,000 ip addresses available.

• What is the typical message flow?

  • Here you can see our common flow

• Can the records be removed from the expired cards?

  • Yes, records can be removed upon request and per our data retention policy.

• If I send some sensitive data from two different endpoints, will I get 2 different aliases or the same alias twice?

  • Provided the fingerprinting setting is turned on (default behavior), the values always resolve to the same redaction alias. Fingerprinting can be turned on or off for a vault on the dashboard (Settings -> Advanced) NOTE: if you turn off Fingerprinting it could lead you to additional charging.

• If I have 2 inbound routes set up on VGS, how can I specify which one to use?

  • You would need to have a CNAME for the additional route to have two Inbound routes.

• Are the sandbox credentials and private keys issued by VGS different for production?

  • Yes they are different. If you need to have VGS token of your RSA key, you will need to create it again in LIVE vault.

• What can maximum payload be processed through VGS HTTP proxy?

  • Through VGS HTTP proxy, you can process up to 24 MB. if the size is larger then you can use SFTP.

• Is it possible to have volatile storage and persistent storage for different keys in the same payload?

  • Yes, you can have persistent and volatile aliases in the same payload.

• If we change to live account, the original alias generated by sandbox can still keep using in live?

  • In terms of the original aliases, they will not be available in your LIVE vault. We separate the aliases for SANDBOX and LIVE environments. The SANDBOX vault is for testing, while the LIVE vault is for real transactions.

• Why can't I enable 'Record Payloads' on my Live vaults?

  • Unfortuantely recording payloads on Live vaults is not possible, as this would record & allow viewing of sensitive data by your team, and VGS Support staff with access to your organization, which could result in a breach of PCI, or other compliance standards.

• How can I migrate data from my current vault to a new vault?

  • The process of data migration between vaults is self-service. For detailed explanation you can follow the step-by-step guides on our support community portal

  • Note: VGS aliases are unique for each vault. You would not have the same aliases as the current vault inside your new vault.

• What is the default timeout for HTTP proxy?

  • The default timeout for reverse proxy is 90sec and for forward proxy - 35sec.

SFTP Proxy

• What is the default timeout for proxy?

  • Depending on SFTP client parameters, timeouts can occur at 5 minutes, 15 minutes or longer. But please keep in mind that the file size also matters and SFTP proxy might not be able to process large files without issues.

Managed File Tokenization (MFT)

• When is the scheduled maintenance window for MFT?

• The maintenance window for MFT is every Tuesday, from 2:00 PM to 4:00 PM PST.

• What should I expect during the maintenance window?

  • During this time, MFT services may be temporarily unavailable or experience disruptions.

VGS Collect

• Can you bundle VGS Collect JS into our JS file to remove dependency?

  • No, it will violate PCI compliance. To bundle VGS Collect JS with your JS means you could technically alter the JS. VGS Collect JS cannot be served on your server. The code needs to be served by our PCI compliant servers.

• How can I use VGS Collect, or VGS Show with Flutter, React Native, or any other Mobile development framework?

  • VGS does not support any frameworks other than the Native SDK's we provide, however, you can always import our native SDK into your development framework. You can see how we've implemented this with React Native, and other frameworks on this page.

• Is the alias created by VGS Collect the same as created by the Vault API?

  • Yes, aliases created using the VGS Collect and Vault APIs will be the same within the same vault.

• Does VGS Collect perform validations on submitted card numbers?

  • Yes, VGS Collect performs a Luhn validation check on entered card numbers, however some e.g. test cards can also pass this check. To perform more advanced checks on cards prior to further operations, or storage, you can use Larky: https://www.verygoodsecurity.com/docs/vault/developer-tools/larky

VGS Show

• Is there a Node package, or module I can load into my application for VGS Show? Why do I need to use a script tag to load VGS Show?

  • When using VGS Show on a live Vault, the script used in the integration guides will not be able to reveal your live data. This is because we will compile a custom version of the script that is enabled for your specific Vault only, which means that we cannot provide a Node package that you can load via NPM, or other package managers, only the custom version hosted and provided by VGS.

Vault API

• When using the Vault Api to delete an alias, does this just remove the alias or does this also delete the data that the alias represents?

  • The alias is the only part deleted. The underlying data is still there, but you are unable to access it. Be certain that you no longer require access before removing aliases related to a value stored with VGS. Certain data, depending on regulations, requires we keep a record so this is why the underlying data is not deleted.

• Does VGS support IP allowlists on vault API?

  • Yes. Please drop us a line at [email protected] to enable the feature.

Observability (Logs and monitoring)

• What data types does the access logger selector currently support?

  • JSON, XML and application/x-www-form-urlencoded (not multipart/form-data).

• It doesn’t look like proxy_processing_duration_ms is being recorded correctly. There are proxy_processing_duration_ms.sum and proxy_processing_duration_ms.count but neither are histogram type.

  • This behavior is expected as metrics with histogram view get converted from Prometheus. Here is why. If you need send_distribution_buckets and/or send_histogram_buckets message us at [email protected].

• How often and how fast statistics data is updated?

  • Statistics data is updated continuously, the delay may range from 1 to 4 minutes.

• Values are fractional, not integers. It's not clear how to count this data, even a single transaction appears in several different metrics for a period of time of several minutes.

  • Our metrics are rates that are always aggregated over four minutes. Summing over four minutes will produce a value that is close to the integer one.

• Cannot get an actual sum of response codes. They always come out in decimal.

  • Our metrics are rates that are always aggregated over four minutes. This is from where decimal comes. Summing over four minutes will produce a value that is close to the integer one.

• Is it possible to get raw counts rather than the aggregated results?

  • If you need the original integer counter values, you can retrieve them using the Prometheus API, which can be set up for this purpose. However, to handle counter zeroing, you’ll still need to apply functions like rate() or increase() - even with Prometheus metrics. Note that these functions will produce decimal values as output.

• Have trouble counting our interaction statistics. We get non-integer numbers. Is it possible to export in Prometheus a simple monotonic increase counter for the number of interactions?

  • Prometheus rate() function does extrapolation when querying, and this is from where a double rounding error is coming from. This article Blog - How Exactly Does PromQL Calculate Rates? explains how the extrapolation algorithm works. It might be possible to ship monotonic counter in the next version of metrics, but right now we are not there yet, currently, we use rate() before we export. Please note that the primary use case for metrics is getting insights and setting alerts when something has changed or went wrong, not making precise calculations like those for billing purposes. If rate() would be applied on the metrics after they were received, it would produce the same rounding errors when doing sum over time. That is why having a monotonic counter exported is probably not the solution for your concern. What we do internally, is neglecting the double-precision, and use round() to produce nice-looking values in alert messages.

• What does LE label mean in some of the metrics coming out of the Prometheus integration?

  • LE is a standard label for buckets How does a Prometheus Histogram work?.

• Is there a particular grafana version we need to be on for Prometheus integration?

  • Our metrics solution doesn't provide Grafana capable API, but rather raw Prometheus metrics that you can pull into your own Prometheus. For reference: Configuration | Prometheus.

  • Once integrated, these metrics can be used inside your Prometheus and visualized on your own Grafana boards.

• My organization is using Control, and I would like to request an audit log

  • Please message us at [email protected].

• Didn’t find the answer to your question or have a feature request?

  • Message us at [email protected].

• Is there a way we can look up the logs for more than past 24 hrs?

  • On Access logs page there is no way to fetch logs that are older than 24 hours. But we can fetch any historical data from our internal storages upon request (contact support via email).

Troubleshooting

• I'm getting errors that the host doesn't match request URL basename. How do I fix this?

  • Make sure to serve the content via the tenant address (https://<VAULT_ID>.sandbox.verygoodproxy.com). We added X-Forwarded-Host headers for you. (If you are communicating via api (client to server), you don't need to do this).

• I'm getting the following CORS error Access... has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response. How do I resolve this?

  • Make sure *.verygoodvault.com and *.verygoodproxy.com are on your list of allowed hosts.

  • Verify Access-Control-Allow-Methods is set with GET,PUT,POST,DELETE,OPTIONS

  • Access-Control-Allow-Headers is set with content-type,vgs-client

  • Access-Control-Allow-Origin is set to https://js.verygoodvault.com, https://js3.verygoodvault.com.

• I am testing a Luhn valid card, but Collect is returning the card as invalid.

  • This is usually due to the BIN of the card you are testing not being supported out of the box. You can add a custom card type in the JS Collect library by following the guides here, or in the SDK's by modifying the validations on the VGSTextField here.

• I keep sending a 16 digit number but Format Preserving Aliases are not working, why not?

  • For format preserving to work, the value must be Luhn valid. If it's not, you'll see it redacted using our universal alias format.

• I am trying to pass very large files through the SFTP proxy, but my downloads keep timing out. How do I fix this?

  • There are a number of operational challenges that come from using a proxy architecture to operate on very large files, not only due to the size of the files, but also due to limitations of the programs sending or retrieving larger files whom often are not capable of sustaining an open SFTP connection for long periods. VGS offers a solution called 'Managed File Transfer' which aims to resolve these operational issues. You can read more about this solution here.

• I keep seeing CSRF exceptions. How do I work with my particular framework to still enforce CSRF while using VGS.

  • The easiest way to solve this is to check the documentation on your framework. Use it with a reverse proxy (for example NGINX) and configure the settings for CSRF.

• My data is not revealing on the outbound connection.

  • The most common case for this is that the alias store is usually different OR the alias format is different. (e.g. you redacted it as FP 6_T_4 and are trying to reveal using FP T_4).

• I've tried everything above, but cannot figure out the error, what do I do?

  • Contact support via email or our in app chat and provide the vgs-request-id with a description of the error you got.

• What to do if I see net::ERR_CONNECTION_CLOSED in console when my app tries to initialize vgs-collect?

  • You might need to add verygoodvault.com and verygoodproxy.com to your IP allowlists as your production web-filter policy could block them.

• Is there a way we can look up the logs for more than past 24 hrs?

  • On Access logs page there is no way to fetch logs that are older than 24 hours. But we can fetch any historical data from our internal storages upon request (contact support via email).

• If we change to live account, the original alias generated by sandbox can still keep using in live?

  • In terms of the original aliases, they will not be available in your LIVE vault. We separate the aliases for SANDBOX and LIVE environments. The SANDBOX vault is for testing, while the LIVE vault is for real transactions.

• I am using Vault API in my project, and I am trying to make a request to reveal my aliases but give me error 403.

  • Make sure VGS support team turned on Vault API "reveal" feature for your vault. If no - contact [email protected].

• I’m getting an error while adding a new CNAME (instead of the wrong one) on Dashboard.

  • When you change/create a CNAME you also specify TTL (Time To Live) attribute. It's a sort of expiration date that is put on a DNS record and tells the recursive server or local resolver how long it should keep the record in its cache. The longer the TTL, the longer the resolver holds that information in its cache. If you set your CNAME to point to your vault and specify it incorrectly (with TTL set to 300 seconds), during this time our cert-manager will use the cache values ​​for 300 seconds. In order to make changes and to set your CNAME to point to a different URL, you should to wait these 300 seconds and make the necessary changes.

• I'm getting a 504 error on outbound, what is this?

  • A 504 Status Code means that the upstream host (your destination third party) refused the connect method request and responded with something other than a status code or message. This could mean several things. The tunneling setup on your server-side has been implemented incorrectly, you need to allowlist our static IP addresses for our outbound, or maybe the third party requires mutual SSL.

• I get this error: Invalid proxy configuration: You need to add the host to the allowlist ... on the dashboard., although I do not have IP allowlisting.

  • The reason you can get this error is because you are using the wrong Access Credentials, make sure you use credentials for the current vault.

• Is VGS down?

  • You can find the current status of our services on VGS status page

Compliance

• Which compliance certifications does VGS have?

  • Please visit the VGS Trust Center to learn more about VGS' certifications and security posture

• Is it required to store billing address/name encrypted or PCI compliance allows un-encrypted billing address/name?

  • It’s not required unless the PAN is stored with the name and address. If you are storing the name and address with the PAN, then you should use one of the following:

  • One-way hash functions based on strong cryptography – also called hashed index, which displays only index data that point to records in the database where sensitive data actually reside.

  • Truncation – removing a data segment, such as showing only the last four digits.

  • Index tokens and securely stored pads – encryption algorithm that combines sensitive plain text data with a random key or “pad” that works only once.

  • Strong cryptography – with associated key management processes and procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the definition of “strong cryptography.”

  • You can find more information at the following link: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

• Can I reveal credit card information in my mobile app? Can I reveal credit card information from my website?

  • Depends on the use case. If you are a card issuer or an eWallet, you can reveal the credit card information through your mobile app (iOS/Android). If you have a website (or you are not a card issuer or an eWallet with only a mobile app), then you can still reveal the card information but you are now required to follow Rule 8 of the PCI Compliance rules. See Rule 8 here.

• If the expiration date (month/year) of a credit card is stored in our database along with the VGS-aliased credit card number, how does it affect our PCI compliance? Do we need to tokenize the expiry date too?

  • No, you are not required to alias the expiration date of a credit card. PCI rules that the expiration date can be stored. In terms of the credit card number, that must not be stored in clear text, so by using VGS to alias it, you are out of PCI scope. Please note that CVC/CVV must be stored in Volatile storage. (you can find more information at the following link.

• Why do you charge 40$ per TLS certificate for a CNAME?

  • TLS termination needs to happen on VGS side to fully descope our customers according to PCI compliance requirements. Cost is to issue, renew, provision and manage cert.

• Is it necessary to alias bank account number and routing number?

  • We strongly recommend it at least for bank account number. Aliasing both of them is preferable and should be enough for ACH fraud in most cases.