| With a better understanding of how VGS works I really just fall back to my weakest link in the chain questions: Does Lob hold any PCI level certifications? It appears they hold HIPAA but I see no mention of PCI? Does Lob provide any interface that shows sent mail and the content (it appears they do)? If so and they don't hold any PCI certifications what benefit do we really have with ever getting a VGS token? What stops you from scraping this data from Lob's API? --- Original comment below. I'm confused on how this data lands at Lob with an account number if you never get it. Correct me if I'm wrong but the letter you send includes the account number and not the VGS token? All of my following questions assumes an affirmative answer. How is the account number landed in Lob? It appears something must be calling the Lob API with an unencrypted account number? What is making that call? Does Lob hold any PCI level certifications? It appears they hold HIPAA but I see no mention of PCI? Does Lob provide any interface that shows sent mail and the content? If so and they don't hold any PCI certifications what benefit do we really have with ever getting a VGS token? |