A FinTech Roadmap to Data Security and Compliance with VGS and AWS
By Marshall Jones, CTO and Co-Founder – Very Good Security (VGS)
By Chintan Sanghavi, Sr. Partner Solutions Architect – AWS
At a minimum, customers must:
- Find all of their sensitive data.
- Protect data with permissions.
- Encrypt data at rest and in transit.
- Add environment-specific layers of security.
With VGS, customers retain full control over their data while offloading information security burdens, transferring the risk of a data breach, and fast-tracking compliance.
In this post, you will see how easy it is to secure your VGS Inbound and Outbound Connections using the VGS software-as-a-service (SaaS) solution, which enables you to collect, protect, and exchange any type of sensitive information.
VGS acts as a secure layer between your company and sensitive data. VGS replaces original values—from credit card and payment data to PII—with non-sensitive aliases.
By working with VGS, your company can avoid storing sensitive information in your app, database, website, or transferring it through your network—each of which brings your company into scope and requires a mountain of continuous work in security and compliance.
VGS can route and secure this traffic before it arrives in your network. Therefore, your systems never come into contact with sensitive data, and you stay protected without any architecture changes or the need to change your application’s code or logic.
Figure 1 – VGS architecture.
VGS sits between your client’s API/user interface (UI) and your server, and it collects any type of data your customer enters. Sensitive data is replaced with aliases (safe substitute values) before it reaches your system.
With VGS aliases, you can easily and securely operate on sensitive data without the original information ever touching your server. In your local database, you only store VGS aliases.
Similarly, VGS sits between your company and third parties, using aliases to securely exchange data. You only see aliases, but third parties see the real, original data.
The VGS inbound connection or inbound route is a static reverse proxy. It routes traffic from your client side, through the VGS Vault, and to your backend systems, allowing you to protect API and web server traffic.
The inbound connection allows you to:
- Securely collect customer data.
- Replace sensitive information with aliases.
- Rewrite requests and responses.
- Set/change/strip headers.
- Modify the payload.
- Receive and operate on non-sensitive data.
Here is an example:
- Your customer sends you a social security number (SSN).
- The original data is stored in the VGS Vault.
- An alias of the SSN is stored on your server.
- For business purposes, you operate on the alias (just like the original data).
The VGS outbound connection or outbound route is a forward proxy that routes traffic from your server, through the VGS Vault, and to any third-party severs or systems.
Here is an example:
- You need to send a customer SSN to the Acme Background Check Service.
- Upon your request, VGS replaces the alias of the SSN with the original value.
- Acme Background Check Service receives the real SSN.
The VGS Vault is a core component of the VGS Platform. It’s a unique environment where you securely store your sensitive data.
VGS assumes the technical responsibility and legal liability of safeguarding your information, so that you can simply focus on growing your business.
Figure 2 – VGS Vault.
The VGS Vault lives in a highly available and scalable Amazon Virtual Private Cloud (Amazon VPC) where uptime is guaranteed and average latency is 15 milliseconds or less (100ms when redacting data).
VGS processes millions of requests every day, has robust system backups as well as business continuity planning, disaster recovery, and incident response.
Figure 3 – VGS Vault lives in a highly available Amazon VPC.
The VGS Vault is the home for all of your sensitive data and works in conjunction with the Inbound Connection and Outbound Connection. It’s a segregated secure database with tenant isolation, and it has no direct access to the internet in addition to strong controls for accessing and interfacing with the data it secures.
Customer Case Study
Zilch is a major player in the Buy Now Pay Later space (BNPL) and is a ubiquitous and disruptive payment platform. Zilch lets users pay anywhere that accepts Mastercard—via tap and pay, in-store, and both online or offline—at over 37 million locations. Therefore, protecting sensitive information like card data and PII is critical to its success.
Before working with VGS, Zilch collected debit card information from customers and then sent it to their acquiring partner. The acquiring partner would exchange the card number for a token. From a risk perspective, sensitive data always touched the Zilch network which left it vulnerable to attack, accidental loss, insider threat, or breach.
Zilch decided to prevent any sensitive data from ever touching its environment. It wanted to upgrade its PCI compliance from Level 3 to Level 1 with Report on Compliance (RoC) certified.
“We knew that it was going to be hugely onerous, take six-plus months to get everything set up, and it’s going to be a huge distraction,” says Sean Hederman, CIO at Zilch. “So, we started looking for options around who could hold our hands. That’s how I came across VGS.”
“The most secure kind of information is the information you don’t store it all. Even in a complete breach scenario, hackers would not get access to that card information because we simply don’t have it,” says Hederman. “VGS is a fantastic way of ensuring that card information not only arrives at the required destination but does so in a way that we are absolutely sure we cannot lose it.”
By working with VGS, Zilch was able to eliminate its card data environment (CDE), and upgrade to PCI Level 1 compliance at least 3x faster than it could have in-house.
“It’s a very elegant solution. With just a quick configuration on our side, payment card information essentially hops over our entire company,” Hederman adds. “We did the whole PCI compliance, including changing policies and the audit, in about two months.”
As Zilch expands globally, the company is enjoying the benefits of proactive compliance. The VGS Control dashboard prepares audit information for new countries and new use cases as Zilch scales.
For example, in the United States, the UK-based Zilch now needs to collect SSNs in order to obtain credit checks. Fortunately, the VGS Vault takes care of PII data just as easily as it does payment card information.
To learn more, we invite you to read more VGS case studies.
VGS allows companies to enhance both your security standing and the utility of your data—internally and with third-parties. VGS accelerates your compliance certification process, and helps you to quickly overcome barriers to market opportunities.
With VGS, you can collect, protect, and exchange sensitive data without it ever touching your systems.
Here are the VGS basics:
- Inbound connections swap sensitive data for an alias.
- When needed, outbound connections swap it back.
- Original sensitive data is stored in the VGS Vault.
- Your business operates on non-sensitive aliases.
Learn more about AWS + VGS in this webinar covering the AWS Shared Responsibility Model and PCI compliance.
For any questions, please contact VGS via on-site chat or email at firstname.lastname@example.org.
Very Good Security (VGS) – AWS Partner Spotlight
Very Good Security (VGS) is an AWS Partner that offers a modern approach to payments compliance and personally identifiable information (PII) protection.
*Already worked with VGS? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.