Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Instantly make any Netlify form PCI DSS compliant
59 points by mahmoudimus 4 months ago | hide | past | web | favorite | 17 comments
We are big fans of Netlify [1] (it powers our website and blog!) and we wanted to scratch our own itch to comply with GDPR, as well as various upcoming data security regulations [3]. So we, Very Good Security [2], just released an add-on that lets you securely collect sensitive data (e.g. payments, PII, SSNs, identification, etc.) via web forms on Netlify.

With the new add-on, Netlify customers are shielded from data liability, breach risk and the compliance issues that come with holding sensitive data. So you can inherit PCI compliance from VGS (a level 1 service provider) and can fast-track other compliances like SOC2, HIPAA, etc.

You can read more about our add-on for Netlify on VGS’ blog:

https://blog.verygoodsecurity.com/posts/securely-capture-sen...

and on Netlify’s blog:

https://www.netlify.com/blog/2019/06/06/very-good-security-a...

Watch a quick video here: https://www.youtube.com/watch?v=wtYzLdpSeJo

Try it out and let us know what you think! We’d love your feedback.

[1] https://www.netlify.com

[2] https://www.verygoodsecurity.com

[3] California Consumer Privacy Act

[3] Colorado Protections for Consumer Data Privacy

[3] New York’s SHIELD act (https://www.nysenate.gov//legislation/bills/2019/S5575)




Very cool, will try this out! I've been doing a fairly extensive integration with their primary VGS tokenization service and it's been a solid, though young platform with a few missing pieces they have promptly addressed. The use of a programmable tokenizing L7 proxy seems to me the best path forward to isolate sensitive data in systems for regulatory and security purposes. If you store sensitive data in your application, you really should look into it.


If I ask someone to place a diamond in a safe at Fort Knox, and then publish the name and password to retrieve the diamond on a billboard, is the diamond safe?


I am not 100% but I believe that 'Sure name' should be Surname https://www.screencast.com/t/VmRZ1dlH0T https://en.wiktionary.org/wiki/surname


Eagle eye! Well spotted. Flagged it to be fixed.


This is interesting, but one thing I didn't understand from the video demo (which shows a background check form and a payment form)

Aren't these SaaS tools like Stripe (payments) and Checkr (background checks) already built in a way that allows you to never have sensitive PII like payment info or SSN touch your servers?


Great question. Those are examples we built that we thought would be easily relatable to show what's possible with this integration.

Some services will give you the ability to handle PII or PCI (payments) data, but not all services make it so easy on their customers.

Also worth noting is that this Netlify integration allows you to collect sensitive info one time and then send it to as many vendors as you might need/want.

So, for example, if you get different levels of data from various background check providers, you could collect SSN, driver's license, other PII, etc. and run it through any number of vendors.

You also retain optionality and the ability to send your data wherever you want in the future.

(disclaimer: I work for VGS)


Yes they are, BUT if you use stripe(or any processor) for monthly recurring charges or tokenization, the card data is permanently locked to processor. So what happens next year when you decide you need to use a different processor for some reason? Well you're out of luck and will have to force all of your customers to re-enter payment data to change processors.


Stripe supports migrating your customer data to another processor:

https://stripe.com/docs/security/data-migrations/exports

And it looks like they also support importing data from other providers:

https://stripe.com/docs/recipes/switching-to-stripe#migratio...


That is good and some gateways do this as well but many don't and, having the tokens under your control means you don't have to co-ordinate a transfer between 2 other parties, but just proxy a new outbound request to your new provider and be done with it.


Is this new service HIPAA compliant as well? Can I collect patient health info, have it stored in a separate vault from all my other data.. and have it be encrypted at rest?


Yes! Thanks for asking.

If you have questions about a specific use case, feel free to email me (info in my profile).

(disclaimer: I work for VGS)


Excellent.. I will be in touch ;-)


This is great, thanks! The first two links are truncated and broken, however. Please update!


Thanks for catching. Not sure why it truncated. Should be fixed now.


Interesting, blog seems broken, bad copy paste?


Thanks for flagging. Looked like it was working at first, but must have been truncated & cutoff. Should be fixed now.


Nice work VGS team!




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: