
Show HN: Instantly make any Netlify form PCI DSS compliant - mahmoudimus
We are big fans of Netlify [1] (it powers our website and blog!) and we wanted to scratch our own itch to comply with GDPR, as well as various upcoming data security regulations [3]. So we, Very Good Security [2], just released an add-on that lets you securely collect sensitive data (e.g. payments, PII, SSNs, identification, etc.) via web forms on Netlify.<p>With the new add-on, Netlify customers are shielded from data liability, breach risk and the compliance issues that come with holding sensitive data. So you can inherit PCI compliance from VGS (a level 1 service provider) and can fast-track other compliances like SOC2, HIPAA, etc.<p>You can read more about our add-on for Netlify on VGS’ blog:<p><a href="https:&#x2F;&#x2F;blog.verygoodsecurity.com&#x2F;posts&#x2F;securely-capture-sensitive-data-with-vgs-and-netlify&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.verygoodsecurity.com&#x2F;posts&#x2F;securely-capture-sen...</a><p>and on Netlify’s blog:<p><a href="https:&#x2F;&#x2F;www.netlify.com&#x2F;blog&#x2F;2019&#x2F;06&#x2F;06&#x2F;very-good-security-add-on-collect-data-securely&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.netlify.com&#x2F;blog&#x2F;2019&#x2F;06&#x2F;06&#x2F;very-good-security-a...</a><p>Watch a quick video here: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=wtYzLdpSeJo" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=wtYzLdpSeJo</a><p>Try it out and let us know what you think! We’d love your feedback.<p>[1] <a href="https:&#x2F;&#x2F;www.netlify.com" rel="nofollow">https:&#x2F;&#x2F;www.netlify.com</a><p>[2] <a href="https:&#x2F;&#x2F;www.verygoodsecurity.com" rel="nofollow">https:&#x2F;&#x2F;www.verygoodsecurity.com</a><p>[3] California Consumer Privacy Act<p>[3] Colorado Protections for Consumer Data Privacy<p>[3] New York’s SHIELD act (<a href="https:&#x2F;&#x2F;www.nysenate.gov&#x2F;&#x2F;legislation&#x2F;bills&#x2F;2019&#x2F;S5575" rel="nofollow">https:&#x2F;&#x2F;www.nysenate.gov&#x2F;&#x2F;legislation&#x2F;bills&#x2F;2019&#x2F;S5575</a>)
======
ledgerdev
Very cool, will try this out! I've been doing a fairly extensive integration
with their primary VGS tokenization service and it's been a solid, though
young platform with a few missing pieces they have promptly addressed. The use
of a programmable tokenizing L7 proxy seems to me the best path forward to
isolate sensitive data in systems for regulatory and security purposes. If you
store sensitive data in your application, you really should look into it.

------
sagebird
If I ask someone to place a diamond in a safe at Fort Knox, and then publish
the name and password to retrieve the diamond on a billboard, is the diamond
safe?

------
bks
I am not 100% but I believe that 'Sure name' should be Surname
[https://www.screencast.com/t/VmRZ1dlH0T](https://www.screencast.com/t/VmRZ1dlH0T)
[https://en.wiktionary.org/wiki/surname](https://en.wiktionary.org/wiki/surname)

~~~
mahmoudimus
Eagle eye! Well spotted. Flagged it to be fixed.

------
andrenotgiant
This is interesting, but one thing I didn't understand from the video demo
(which shows a background check form and a payment form)

Aren't these SaaS tools like Stripe (payments) and Checkr (background checks)
already built in a way that allows you to never have sensitive PII like
payment info or SSN touch your servers?

~~~
ledgerdev
Yes they are, BUT if you use stripe(or any processor) for monthly recurring
charges or tokenization, the card data is permanently locked to processor. So
what happens next year when you decide you need to use a different processor
for some reason? Well you're out of luck and will have to force all of your
customers to re-enter payment data to change processors.

~~~
KeithBrink
Stripe supports migrating your customer data to another processor:

[https://stripe.com/docs/security/data-
migrations/exports](https://stripe.com/docs/security/data-migrations/exports)

And it looks like they also support importing data from other providers:

[https://stripe.com/docs/recipes/switching-to-
stripe#migratio...](https://stripe.com/docs/recipes/switching-to-
stripe#migration)

~~~
ledgerdev
That is good and some gateways do this as well but many don't and, having the
tokens under your control means you don't have to co-ordinate a transfer
between 2 other parties, but just proxy a new outbound request to your new
provider and be done with it.

------
mackatsol
Is this new service HIPAA compliant as well? Can I collect patient health
info, have it stored in a separate vault from all my other data.. and have it
be encrypted at rest?

~~~
mahmoudimus
Yes! Thanks for asking.

If you have questions about a specific use case, feel free to email me (info
in my profile).

(disclaimer: I work for VGS)

~~~
mackatsol
Excellent.. I will be in touch ;-)

------
cdepman
This is great, thanks! The first two links are truncated and broken, however.
Please update!

~~~
mahmoudimus
Thanks for catching. Not sure why it truncated. Should be fixed now.

------
WrtCdEvrydy
Interesting, blog seems broken, bad copy paste?

~~~
mahmoudimus
Thanks for flagging. Looked like it was working at first, but must have been
truncated & cutoff. Should be fixed now.

------
aanari
Nice work VGS team!

