“Never answer an anonymous letter”
—Yogi Berra
Did you ever wonder why doctor offices ask for your social security number?
They don’t want to keep your SSN, but it’s the primary “key” that identifies you to an insurance company. In computer science/math terms, they need to call a function. Let’s call it: int reimbursement(char * ssn)
When they plug your SSN into said function it returns a result (success, failure, more information needed, etc). Why does a lending company ask for your social? Same thing, but to look up your credit report. Why does Netflix need your credit card number? Same thing, but to get money from your bank. The problem is that these “keys” never change, are presented in the clear (your SSN never changes and you always write it down!), and function as a sort of bearer instrument — if you have the key, you can make a purchase, apply for a loan, etc.
It turns out none of these companies want to store this “confidential” and sensitive data (SSNs, credit cards, etc). They just want to perform operations on them.
Enter Very Good Security, aka VGS. (Cryptography people might recognize the name as a play on PGP, aka Pretty Good Privacy.) What VGS does is effectively redact and tokenize structured sensitive data — think credit cards, social security numbers, etc — returning a hashed form to the requestor. So instead of a doctor’s office storing your social, they might store a random string of letters returned to them by VGS (that is called the “tokenized” version, because it maps to the real version stored by VGS, and is not the same even across different VGS customers). When it’s time to bill your insurance company, their “reimbursement” code goes through VGS which “reveals” the token and sends the real version to the insurance company. VGS functions as a proxy server that scrambles/unscrambles sensitive information in real time.
Why is this important? For one, comparative advantage — VGS is built by security and cryptography experts whose only job is to store this stuff, not get hacked, and comply with often-complex regulatory requirements like PCI DSS and HIPAA (so companies don’t have to worry about it). For another, it provides provider portability. Many credit card processors bundle compliance, storage/tokenization, and processing — but if VGS is providing the first two, you can then easily change your “secure operations” provider and switch between reimbursement companies, card processors, credit report companies, etc.
It’s a very big idea, and the founders, Marshall and Mahmoud, built the company recognizing what a pain it was to deal with PCI compliance — why not outsource that to somebody? And this problem is not unique to PCI or the credit card processing world; it applies to all types of sensitive data and the secure operations that must be performed on said data.
We are incredibly excited to partner with VGS and help them build a category-defining enterprise platform.